<!DOCTYPE html>
<html dir='ltr' xmlns='http://www.w3.org/1999/xhtml' xmlns:b='http://www.google.com/2005/gml/b' xmlns:data='http://www.google.com/2005/gml/data' xmlns:expr='http://www.google.com/2005/gml/expr'>
<head>
<link href='https://www.blogger.com/static/v1/widgets/55013136-widget_css_bundle.css' rel='stylesheet' type='text/css'/>
<meta content='width=device-width' name='viewport'/>
<meta content='text/html; charset=UTF-8' http-equiv='Content-Type'/>
<meta content='blogger' name='generator'/>
<link href='https://blog.virustotal.com/favicon.ico' rel='icon' type='image/x-icon'/>
<link href='https://blog.virustotal.com/2023/12/sigma-rules-for-linux-and-macos_20.html' rel='canonical'/>
<link rel="alternate" type="application/atom+xml" title="VirusTotal Blog - Atom" href="https://blog.virustotal.com/feeds/posts/default" />
<link rel="alternate" type="application/rss+xml" title="VirusTotal Blog - RSS" href="https://blog.virustotal.com/feeds/posts/default?alt=rss" />
<link rel="service.post" type="application/atom+xml" title="VirusTotal Blog - Atom" href="https://www.blogger.com/feeds/6871606241422173914/posts/default" />

<link rel="alternate" type="application/atom+xml" title="VirusTotal Blog - Atom" href="https://blog.virustotal.com/feeds/3256453252814332978/comments/default" />
<!--Can't find substitution for tag [blog.ieCssRetrofitLinks]-->
<link href='https://lh7-us.googleusercontent.com/bTWJ1UA1ZZD4Rp1zveMMQnBj56Ml4m7CNrtWH5WhtyHoHeZ_jQDszTLVAzzMceuWMx6Ca8KuBfZohKHmbBvL4GXs54q5Ioh3BB8S_fpZBraBPB3hTZnQkjwbC6VDTaAjuKQTsaxIlY47PwEq0ShTu6a8UL3Z-JRQbkf4-cXBMvv1LGHiWc57ouscO9y4SK0PZdj0CqzFqZnbvLlZDlNUoKWYoV7KioE16SOr7w' rel='image_src'/>
<meta content='https://blog.virustotal.com/2023/12/sigma-rules-for-linux-and-macos_20.html' property='og:url'/>
<meta content='Sigma rules for Linux and MacOS' property='og:title'/>
<meta content=' TLDR : VT Crowdsourced Sigma rules will now also match suspicious activity for macOS and Linux binaries, in addition to Windows.   We recen...' property='og:description'/>
<meta content='https://lh7-us.googleusercontent.com/bTWJ1UA1ZZD4Rp1zveMMQnBj56Ml4m7CNrtWH5WhtyHoHeZ_jQDszTLVAzzMceuWMx6Ca8KuBfZohKHmbBvL4GXs54q5Ioh3BB8S_fpZBraBPB3hTZnQkjwbC6VDTaAjuKQTsaxIlY47PwEq0ShTu6a8UL3Z-JRQbkf4-cXBMvv1LGHiWc57ouscO9y4SK0PZdj0CqzFqZnbvLlZDlNUoKWYoV7KioE16SOr7w=w1200-h630-p-k-no-nu' property='og:image'/>
<link href='//netdna.bootstrapcdn.com/font-awesome/4.0.3/css/font-awesome.css' rel='stylesheet'/>
<title>Sigma rules for Linux and MacOS ~ VirusTotal Blog</title>
<link href="//fonts.googleapis.com/css?family=Lato:100,300,400,700,900,100italic,300italic,400italic,700italic,900italic" media="all" rel="stylesheet" type="text/css">
<!--[if lt IE 9]> <script type="text/javascript"> //<![CDATA[ /* HTML5 Shiv v3.7.0 | @afarkas @jdalton @jon_neal @rem | MIT/GPL2 Licensed */ (function(l,f){function m(){var a=e.elements;return"string"==typeof a?a.split(" "):a}function i(a){var b=n[a[o]];b||(b={},h++,a[o]=h,n[h]=b);return b}function p(a,b,c){b||(b=f);if(g)return b.createElement(a);c||(c=i(b));b=c.cache[a]?c.cache[a].cloneNode():r.test(a)?(c.cache[a]=c.createElem(a)).cloneNode():c.createElem(a);return b.canHaveChildren&&!s.test(a)?c.frag.appendChild(b):b}function t(a,b){if(!b.cache)b.cache={},b.createElem=a.createElement,b.createFrag=a.createDocumentFragment,b.frag=b.createFrag(); a.createElement=function(c){return!e.shivMethods?b.createElem(c):p(c,a,b)};a.createDocumentFragment=Function("h,f","return function(){var n=f.cloneNode(),c=n.createElement;h.shivMethods&&("+m().join().replace(/[\w\-]+/g,function(a){b.createElem(a);b.frag.createElement(a);return'c("'+a+'")'})+");return n}")(e,b.frag)}function q(a){a||(a=f);var b=i(a);if(e.shivCSS&&!j&&!b.hasCSS){var c,d=a;c=d.createElement("p");d=d.getElementsByTagName("head")[0]||d.documentElement;c.innerHTML="x<style>article,aside,dialog,figcaption,figure,footer,header,hgroup,main,nav,section{display:block}mark{background:#FF0;color:#000}template{display:none}</style>"; c=d.insertBefore(c.lastChild,d.firstChild);b.hasCSS=!!c}g||t(a,b);return a}var k=l.html5||{},s=/^<|^(?:button|map|select|textarea|object|iframe|option|optgroup)$/i,r=/^(?:a|b|code|div|fieldset|h1|h2|h3|h4|h5|h6|i|label|li|ol|p|q|span|strong|style|table|tbody|td|th|tr|ul)$/i,j,o="_html5shiv",h=0,n={},g;(function(){try{var a=f.createElement("a");a.innerHTML="<xyz></xyz>";j="hidden"in a;var b;if(!(b=1==a.childNodes.length)){f.createElement("a");var c=f.createDocumentFragment();b="undefined"==typeof c.cloneNode|| "undefined"==typeof c.createDocumentFragment||"undefined"==typeof c.createElement}g=b}catch(d){g=j=!0}})();var e={elements:k.elements||"abbr article aside audio bdi canvas data datalist details dialog figcaption figure footer header hgroup main mark meter nav output progress section summary template time video",version:"3.7.0",shivCSS:!1!==k.shivCSS,supportsUnknownElements:g,shivMethods:!1!==k.shivMethods,type:"default",shivDocument:q,createElement:p,createDocumentFragment:function(a,b){a||(a=f); if(g)return a.createDocumentFragment();for(var b=b||i(a),c=b.frag.cloneNode(),d=0,e=m(),h=e.length;d<h;d++)c.createElement(e[d]);return c}};l.html5=e;q(f)})(this,document); //]]> </script> <![endif]-->
<style id='page-skin-1' type='text/css'><!--
/*
-----------------------------------------------
Template Name  : Ryu
Author         : NewBloggerThemes.com
Author URL     : http://newbloggerthemes.com/
Theme URL      : http://newbloggerthemes.com/ryu-blogger-template/
Created Date   : Sunday, May 4, 2014
License        : GNU General Public License v2 or later
----------------------------------------------- */
body#layout ul{list-style-type:none;list-style:none}
body#layout ul li{list-style-type:none;list-style:none}
body#layout #headerbwrap {height:auto;}
body#layout #blogtitle {min-height:120px;}
body#layout #content {}
body#layout #slider {display:none;}
body#layout #nav2{width:90%;}
/* Variable definitions
====================
*/
/* Use this with templates/template-twocol.html */
.section,
.widget {
margin: 0;
padding: 0;
}
/* =Reset
----------------------------------------------- */
html,
body,
div,
span,
applet,
object,
iframe,
h1,
h2,
h3,
h4,
h5,
h6,
p,
blockquote,
pre,
a,
abbr,
acronym,
address,
big,
cite,
code,
del,
dfn,
em,
font,
ins,
kbd,
q,
s,
samp,
small,
strike,
strong,
sub,
sup,
tt,
var,
dl,
dt,
dd,
ol,
ul,
li,
fieldset,
form,
label,
legend,
table,
caption,
tbody,
tfoot,
thead,
tr,
th,
td {
border: 0;
font-family: inherit;
font-size: 100%;
font-style: inherit;
font-weight: inherit;
margin: 0;
outline: 0;
padding: 0;
vertical-align: baseline;
}
html {
font-size: 62.5%; /* Corrects text resizing oddly in IE6/7 when body font-size is set using em units http://clagnut.com/blog/348/#c790 */
overflow-y: scroll; /* Keeps page centred in all browsers regardless of content height */
-webkit-text-size-adjust: 100%; /* Prevents iOS text size adjust after orientation change, without disabling user zoom */
-ms-text-size-adjust: 100%; /* www.456bereastreet.com/archive/201012/controlling_text_size_in_safari_for_ios_without_disabling_user_zoom/ */
}
body {
background: #fff;
}
article,
aside,
details,
figcaption,
figure,
footer,
header,
hgroup,
nav,
section {
display: block;
}
ol,
ul {
list-style: none;
}
table {
/* tables still need 'cellspacing="0"' in the markup */
border-collapse: separate;
border-spacing: 0;
}
caption,
th,
td {
font-weight: normal;
text-align: left;
}
blockquote:before,
blockquote:after,
q:before,
q:after {
content: "";
}
blockquote,
q {
quotes: "" "";
}
a:focus {
outline: thin dotted;
}
a:hover,
a:active {
/* Improves readability when focused and also mouse hovered in all browsers people.opera.com/patrickl/experiments/keyboard/test */
outline: 0;
}
a img {
border: 0;
}
/* =Genericons
----------------------------------------------- */
/*
IE8 and below use EOT and allow cross-site embedding.
IE9 uses WOFF which is base64 encoded to allow cross-site embedding.
So unfortunately, IE9 will throw a console error, but it'll still work.
*/
@font-face {
font-family: Genericons;
src: url(fonts/genericons-regular-webfont.eot);
src: url(fonts/genericons-regular-webfont.eot?#iefix)
format("embedded-opentype"),
url(fonts/genericons-regular-webfont.woff) format("woff"),
url(fonts/genericons-regular-webfont.ttf) format("truetype"),
url(fonts/genericons-regular-webfont.svg#genericonsregular) format("svg");
font-weight: normal;
font-style: normal;
}
.genericon:before,
.genericon:after {
display: inline-block;
-webkit-font-smoothing: antialiased;
font: normal 16px/1 Genericons;
font-size: 1.6rem;
vertical-align: top;
}
/* =Global
----------------------------------------------- */
body,
button,
input,
select,
textarea {
color: #4d4d4d;
font-family: Lato, sans-serif;
font-size: 20px;
font-weight: 300;
line-height: 1.4782608695;
}
/* Selection */
::-moz-selection {
background: #2b3bbf;
color: #fff;
text-shadow: none;
}
::selection {
background: #2b3bbf;
color: #fff;
text-shadow: none;
}
/* Headings */
h1,
h2,
h3,
h4,
h5,
h6 {
clear: both;
font-family: Lato, sans-serif;
font-weight: 500;
margin-bottom: 17px;
}
h1 {
font-size: 34px;
line-height: 1;
}
h2 {
font-size: 30px;
line-height: 1;
}
h3 {
font-size: 28px;
line-height: 1.2142857142;
}
h4 {
font-size: 26px;
line-height: 1.3076923076;
}
h5 {
font-size: 24px;
line-height: 1.4166666666;
}
h6 {
font-size: 23px;
line-height: 1.4782608695;
}
hr {
background-color: rgba(0, 0, 0, 0.1);
border: 0;
height: 1px;
margin-bottom: 33px;
}
/* Text elements */
p {
margin-bottom: 34px;
}
ul {
list-style: disc;
margin: 0 0 34px 24px;
}
ol {
list-style: decimal;
margin: 0 0 34px 24px;
}
li > ul {
margin-bottom: 0;
margin-left: 24px;
}
li > ol {
margin-bottom: 0;
margin-left: 35px;
}
dt {
font-weight: bold;
}
dd {
margin: 0 0 34px;
}
b,
strong {
font-weight: bold;
}
dfn,
cite,
em,
i {
font-style: italic;
}
blockquote {
font-style: italic;
}
blockquote em,
blockquote i,
blockquote cite {
font-style: normal;
}
blockquote p {
font-family: Lato, sans-serif;
font-size: 38px;
line-height: 1.3421052631;
margin-bottom: 51px;
}
blockquote cite,
.quote-caption {
color: #808080;
font: 18px/1.8888888888 Lato, sans-serif;
font-weight: 400;
letter-spacing: 0.15em;
padding-left: 50px;
position: relative;
text-transform: uppercase;
}
.quote-caption {
display: inline;
}
blockquote cite a,
.quote-caption a {
color: #808080;
}
blockquote cite:before,
.quote-caption:before {
content: "";
background: #000;
width: 40px;
height: 1px;
position: absolute;
top: 10px;
left: 0;
}
address {
margin: 0 0 34px;
}
pre {
background: #f5f5f5;
font-family: "Courier 10 Pitch", Courier, monospace;
font-size: 19px;
line-height: 1.7894736842;
margin-bottom: 34px;
padding: 34px;
overflow: auto;
max-width: 100%;
}
code,
kbd,
tt,
var {
font: 19px/1.7894736842 Monaco, Consolas, "Andale Mono", "DejaVu Sans Mono",
monospace;
}
abbr,
acronym {
border-bottom: 1px dotted #000;
cursor: help;
}
mark,
ins {
background: #000;
color: #fff;
text-decoration: none;
}
sup,
sub {
font-size: 75%;
height: 0;
line-height: 0;
position: relative;
vertical-align: baseline;
}
sup {
bottom: 1ex;
}
sub {
top: 0.5ex;
}
small {
font-size: 75%;
}
big {
font-size: 125%;
}
figure {
margin: 0 0 51px;
}
table {
margin: 0 0 34px;
width: 100%;
}
th {
font-weight: bold;
}
button,
input,
select,
textarea {
font-size: 100%; /* Corrects font size not being inherited in all browsers */
margin: 0; /* Addresses margins set differently in IE6/7, F3/4, S5, Chrome */
vertical-align: top;
}
button,
input {
line-height: normal; /* Addresses FF3/4 setting line-height using !important in the UA stylesheet */
*overflow: visible; /* Corrects inner spacing displayed oddly in IE6/7 */
}
button,
html input[type="button"],
input[type="reset"],
input[type="submit"] {
border: 0;
background: #000;
color: #fff;
cursor: pointer;
font: 700 12px/1 Lato, sans-serif;
letter-spacing: 0.1em;
padding: 11px 22px;
text-transform: uppercase;
}
button:hover,
html input[type="button"]:hover,
input[type="reset"]:hover,
input[type="submit"]:hover,
button:focus,
html input[type="button"]:focus,
input[type="reset"]:focus,
input[type="submit"]:focus {
background-color: #333;
}
button:active,
html input[type="button"]:active,
input[type="reset"]:active,
input[type="submit"]:active {
background-color: #333;
box-shadow: inset 0 0 8px 2px rgba(0, 0, 0, 0.2), 0 1px 0 0 rgba(0, 0, 0, 0.2);
}
input[type="checkbox"],
input[type="radio"] {
-moz-box-sizing: border-box;
box-sizing: border-box; /* Addresses box sizing set to content-box in IE8/9 */
padding: 0; /* Addresses excess padding in IE8/9 */
vertical-align: middle;
}
input[type="search"] {
-webkit-appearance: textfield; /* Addresses appearance set to searchfield in S5, Chrome */
-moz-box-sizing: border-box;
box-sizing: border-box;
}
input[type="search"]::-webkit-search-decoration {
/* Corrects inner padding displayed oddly in S5, Chrome on OSX */
-webkit-appearance: none;
}
button::-moz-focus-inner,
input::-moz-focus-inner {
/* Corrects inner padding and border displayed oddly in FF3/4 www.sitepen.com/blog/2008/05/14/the-devils-in-the-details-fixing-dojos-toolbar-buttons/ */
border: 0;
padding: 0;
}
input[type="text"],
input[type="email"],
input[type="password"],
input[type="search"],
textarea {
-moz-box-sizing: border-box;
box-sizing: border-box;
border-radius: 0;
color: #111;
border: 1px solid rgba(0, 0, 0, 0.1);
}
input[type="text"]:focus,
input[type="email"]:focus,
input[type="password"]:focus,
input[type="search"]:focus,
textarea:focus {
outline: none;
color: #111;
}
input[type="text"],
input[type="email"],
input[type="password"],
input[type="search"],
textarea {
font-size: 15px;
padding: 7px 3px 8px 7px;
}
textarea {
overflow: auto; /* Removes default vertical scrollbar in IE6/7/8/9 */
padding: 7px 7px 8px 7px;
vertical-align: top; /* Improves readability and alignment in all browsers */
width: 100%;
}
/* Links */
a,
a:visited,
a:active {
color: #3a4eff;
text-decoration: none;
}
a:hover,
a:focus {
color: #2b3bbf;
}
/* Animated elements */
#pagebwrap a,
button,
html input[type="button"],
input[type="reset"],
input[type="submit"],
#infinite-handle span,
[class*="navigation"] a span,
.entry-format-badge,
a.entry-format-badge:before {
-webkit-transition: all 0.2s ease-out;
-moz-transition: all 0.2s ease-out;
-ms-transition: all 0.2s ease-out;
-o-transition: all 0.2s ease-out;
transition: all 0.2s ease-out;
}
/* Alignment */
.alignleft {
display: inline;
float: left;
margin-right: 34px;
}
.alignright {
display: inline;
float: right;
margin-left: 34px;
}
.aligncenter {
clear: both;
display: block;
margin: 0 auto;
}
/* Text meant only for screen readers */
.screen-reader-text {
clip: rect(1px, 1px, 1px, 1px);
overflow: hidden;
position: absolute !important;
}
.screen-reader-text:hover,
.screen-reader-text:active,
.screen-reader-text:focus {
background-color: #f1f1f1;
border-radius: 3px;
box-shadow: 0 0 2px 2px rgba(0, 0, 0, 0.6);
clip: auto !important;
color: #21759b;
display: block;
font-size: 14px;
font-weight: bold;
height: auto;
left: 5px;
line-height: normal;
padding: 15px 23px 14px;
text-decoration: none;
top: 5px;
width: auto;
z-index: 100000; /* Above WP toolbar */
}
/* Avoiding a horizontal scrool bar */
.entry-format-badge .screen-reader-text {
right: 0;
}
/* Clearing */
.clearnbt:before,
.clearnbt:after {
content: "";
display: table;
}
.clearnbt:after {
clear: both;
}
/* Hidden */
.hide {
display: none;
}
/* =Basic Structure
----------------------------------------------- */
body {
background-color: #fdfdfd;
}
.wrapbwrap {
margin: 0 auto;
width: 90%;
}
#secondarybwrap{
display: flex;
justify-content: space-between;
flex-wrap: wrap;
}
#secondarybwrap > div {
width: 45%;
}
#pagebwrap {
border-top: 5px solid #3a4eff;
}
#colophonbwrap {
padding: 34px 0;
}
/* =Top Panel
----------------------------------------------- */
.toppanel {
background-color: #e6e6e6;
padding: 29px 0 34px;
border-bottom: 5px solid #3a4eff;
}
#social-links-wrapper {
text-align: center;
}
.social-linksbwrap {
display: inline-block;
list-style: none;
margin: -8px 0 0;
vertical-align: middle;
}
.social-linksbwrap li {
display: block;
float: left;
margin: 0 10px;
padding: 1px 0;
width: 30px;
height: 30px;
font-family: FontAwesome;
}
.social-linksbwrap a {
display: inline-block;
position: relative;
text-align: center;
text-decoration: none;
font-family: FontAwesome;
}
.social-linksbwrap a:before {
font-size: 35px;
color: #9b9b9b;
line-height: 1;
}
.twitter-link a:before {
content: "\f081";
}
.github-link a:before {
content: "\f092";
}
.youtube-link a:before {
content: "\f166";
}
#search-wrapperbwrap .searchform {
margin: 0 auto;
max-width: 408px;
}
#search-wrapperbwrap input[type="search"] {
border: 1px solid rgba(255, 255, 255, 0.2);
font-style: italic;
width: 100%;
}
#search-wrapperbwrap input[type="submit"] {
display: none;
}
/* Triggers */
#triggers-wrapperbwrap {
text-align: center;
}
.triggersbwrap {
display: inline-block;
margin: 0 0 34px;
vertical-align: top;
}
.triggersbwrap li {
float: left;
list-style: none;
text-align: center;
}
.triggersbwrap a {
background-color: #3a4eff;
color: #fff;
display: block;
width: 72px;
height: 34px;
}
.triggersbwrap a:hover {
background-color: #2b3bbf;
}
.triggersbwrap a:focus {
outline: 0;
}
.widgets-triggerbwrap a:before {
font-family: FontAwesome;
content: "\f0c9";
margin-top: 7px;
}
.social-links-triggerbwrap a:before {
font-family: FontAwesome;
content: "\f0c1";
font-size: 24px;
margin-top: 4px;
}
.search-triggerbwrap a:before {
font-family: FontAwesome;
content: "\f002";
margin-top: 7px;
}
/* =Masthead
----------------------------------------------- */
#mastheadbwrap {
border-bottom: 1px solid rgba(0, 0, 0, 0.1);
}
#mastheadbwrap .wrapbwrap {
text-align: center;
}
.header-imagebwrap {
margin-bottom: 16px;
-webkit-border-radius: 50%;
-moz-border-radius: 50%;
border-radius: 50%;
}
#mastheadbwrap img[src*="gravatar"] {
border-radius: 50%;
}
#mastheadbwrap .mastheadbwrapgroup {
margin-bottom: 34px;
}
.site-title {
font: 700 23px/1.4782608695 Lato, sans-serif;
letter-spacing: 0.1em;
margin: 0;
text-align: center;
text-transform: uppercase;
}
.site-title a {
text-decoration: none;
}
.site-description {
font: italic 400 14px/2.4285714285 Lato, sans-serif;
margin: 0;
text-align: center;
}
/* =Menu
----------------------------------------------- */
.navigation-mainbwrap {
border-top: 1px solid rgba(0, 0, 0, 0.1);
clear: both;
display: block;
font: 700 13px/1.3076923076 Lato, sans-serif;
letter-spacing: 0.05em;
text-transform: uppercase;
width: 100%;
}
.navigation-mainbwrap .menubwrap {
max-width: 1272px;
margin: 0 auto;
}
.navigation-mainbwrap ul {
list-style: none;
margin: 0;
padding-left: 0;
text-align: center;
}
.navigation-mainbwrap li {
display: inline-block;
position: relative;
}
.navigation-mainbwrap li:after {
font-family: FontAwesome;
content: "\f105";
display: inline-block;
font-size: 11px;
margin-top: -4px;
vertical-align: middle;
}
.navigation-mainbwrap li:last-child:after {
content: "";
}
.navigation-mainbwrap a {
display: inline-block;
line-height: 2.6153846153;
padding: 0 10px;
text-decoration: none;
white-space: nowrap;
}
.navigation-mainbwrap ul ul {
background-color: #000;
display: none;
float: left;
position: absolute;
top: 2.6153846153em;
left: 0;
text-align: left;
z-index: 99999;
}
.navigation-mainbwrap li li {
display: block;
}
.navigation-mainbwrap li li:after {
content: "";
display: block;
margin: 0;
}
.navigation-mainbwrap ul ul ul {
left: 100%;
top: 0;
}
.navigation-mainbwrap ul ul a {
color: #fff;
line-height: 1.3076923076;
padding: 0.6153846153em 10px 0.6923076923em;
white-space: normal;
width: 170px;
}
.navigation-mainbwrap ul ul a:hover {
background-color: #333;
color: #fff;
}
.navigation-mainbwrap ul li:hover > ul {
display: block;
}
.navigation-mainbwrap a:hover,
.navigation-mainbwrap li.current_page_item > a,
.navigation-mainbwrap li.current-menu-item > a {
color: #2b3bbf;
}
/* Small menu */
.menu-togglebwrap {
display: none;
cursor: pointer;
font: 700 18px/1 Lato, sans-serif;
margin: 0;
padding: 25px 0;
text-align: center;
text-transform: uppercase;
}
.main-small-navigation {
border-top: 1px solid rgba(0, 0, 0, 0.1);
font: 700 13px/1.3076923076 Lato, sans-serif;
letter-spacing: 0.05em;
text-transform: uppercase;
}
.main-small-navigation a {
display: block;
}
.main-small-navigation ul {
display: none;
list-style: none;
margin-left: 0;
}
.main-small-navigation ul > li {
border-top: 1px solid rgba(0, 0, 0, 0.1);
padding: 8px 0;
}
.main-small-navigation ul ul > li:first-child {
margin-top: 8px;
}
.main-small-navigation ul > li:last-child {
padding-bottom: 0;
}
@media screen and (max-width: 600px) {
.menu-togglebwrap,
.main-small-navigation ul.nav-menu.toggled-on,
.main-small-navigation ul ul {
display: block;
}
.navigation-mainbwrap ul {
display: none;
}
}
/* =Content
----------------------------------------------- */
.sticky .bpostentry-date {
}
.entry-wrap {
margin: 0 auto;
max-width: 1272px;
display: flex;
flex-wrap: wrap;
}
.img-wrapper {
width: 25%;
align-self: center;
margin-right: 50px;
display: flex;
justify-content: center;
align-items: flex-start;
}
.entry-wrapper {
flex: 1;
max-width: 100%;
}
.hentry {
border-bottom: 1px solid rgba(0, 0, 0, 0.1);
padding: 50px 0 48px;
}
.attachment-ryu-featured-thumbnail {
display: block;
margin: 0 auto 34px;
vertical-align: middle;
}
.entry-title {
font: Lato, sans-serif;
margin: 0;
}
.entry-title a:hover {
color: #2b3bbf;
}
.bpostcategories-links {
display: block;
font: 700 14px/1.2142857142 Lato, sans-serif;
letter-spacing: 0.1em;
max-width: 696px;
padding: 8px 0 9px;
text-transform: uppercase;
}
.bpostentry-meta {
display: block;
font: 400 13px/1.3076923076 Lato, sans-serif;
letter-spacing: 0.1em;
margin-top: 10px;
padding: 8px 0 9px;
text-transform: uppercase;
}
.bpostentry-meta span + span:before {
font-family: FontAwesome;
content: "\0020\007c\0020";
color: rgba(0, 0, 0, 0.2);
}
.byline {
}
.single .byline,
.group-blog .byline {
}
.entry-content [dir="ltr"] * {
max-width: 100% !important;
width: inherit !important;
height: inherit !important;
}
.entry-content [imageanchor="1"] {
margin: 0 !important;
}
.entry-content h3 * {
white-space: normal !important;
}
.entry-content,
.entry-summary {
margin-top: 34px;
width: 100%;
}
.entry-content a:not(.morer):not([imageanchor="1"]) {
color: #4d4d4d;
border-bottom: solid 1px;
}
.entry-content .morer-container,
.entry-summary .morer-container {
float:right;
padding-right:10px;
margin-top:10px;
}
.entry-content a.morer,
.entry-summary a.morer {
border-bottom: 1px solid #3a4eff;
}
.entry-content a:hover,
.entry-summary a:hover {
color: #2b3bbf;
}
.entry-content table,
.entry-summary table {
border: 1px solid rgba(0, 0, 0, 0.1);
border-width: 1px 0 0 1px;
margin-bottom: 34px;
width: 100%;
}
.entry-content th,
.entry-summary th {
border: 1px solid rgba(0, 0, 0, 0.1);
border-width: 0 1px 1px 0;
font-size: 17px;
font-weight: normal;
letter-spacing: 0.1em;
padding: 8px 8px 9px 8px;
text-transform: uppercase;
}
.entry-content td,
.entry-summary td {
border: 1px solid rgba(0, 0, 0, 0.1);
border-width: 0 1px 1px 0;
padding: 8px 8px 9px 8px;
}
/* =Media
----------------------------------------------- */
.attachment-ryu-featured-thumbnail,
.site-headerbwrap img,
.entry-content img,
.entry-summary img,
.comment-content img,
.widget img {
max-width: 100%;
vertical-align: middle;
}
.attachment-ryu-featured-thumbnail,
.site-headerbwrap img,
.entry-content img,
.entry-summary img,
.comment-content img[height],
img[class*="align"],
img[class*="wp-image-"],
.wp-caption img {
height: auto;
}
img.alignleft {
margin: 7px 34px 7px 0;
}
img.alignright {
margin: 7px 0 7px 34px;
}
img.aligncenter {
margin-top: 7px;
margin-bottom: 7px;
}
/* Make sure embeds and iframes fit their containers */
embed,
iframe,
object,
video {
margin-bottom: 34px;
max-width: 100%;
}
p > embed,
p > iframe,
p > object,
span > embed,
span > iframe,
span > object {
margin-bottom: 0;
}
/* =Footer
----------------------------------------------- */
.site-infobwrap {
color: #808080;
font-family: Lato, sans-serif;
font-size: 14px;
font-style: italic;
line-height: 1.8;
padding: 8px 0 9px;
text-align: center;
}
.site-infobwrap a {
border-bottom: 1px solid rgba(0, 0, 0, 0.1);
color: #808080;
}
.site-infobwrap a:hover {
border-color: rgba(0, 0, 0, 1);
}
/* =Widgets
----------------------------------------------- */
#widgets-wrapperbwrap {
padding-bottom: 0;
}
.widget-areabwrap {
float: left;
padding: 0 12px;
margin-bottom: 34px;
width: 264px;
}
.widget-areabwrap .widget {
font: 300 13px/1.3076923076 Lato, sans-serif;
letter-spacing: 0.1em;
color: #4d4d4d;
overflow: hidden;
margin: 0 0 34px;
}
.widget-areabwrap .widget h2,
.widget-areabwrap .widget h3 {
color: #4d4d4d;
font: 400 14px/1.2142857142 Lato, sans-serif;
letter-spacing: 0.1em;
margin-bottom: 17px;
text-transform: uppercase;
}
.widget-areabwrap .widget .widget-title {
color: #4d4d4d;
font: 400 14px/1.2142857142 Lato, sans-serif;
letter-spacing: 0.1em;
margin-bottom: 17px;
text-transform: uppercase;
}
.widget-areabwrap .widget a {
font-weight: bold;
color: #333333;
}
.widget-areabwrap .widget p,
.widget-areabwrap .widget .wp-caption {
margin-bottom: 17px;
}
.widget-areabwrap .widget ul {
list-style: none;
margin: 0;
}
.widget-areabwrap .widget ol {
margin: 0;
}
.widget-areabwrap .widget li > ul,
.widget-areabwrap .widget li > ol {
margin: 0 0 0 24px;
}
.widget-areabwrap .widget ul > li,
.widget-areabwrap .widget ol > li {
border-top: 1px solid rgba(255, 255, 255, 0.2);
padding: 8px 0;
}
.widget-areabwrap .widget ul ul > li:first-child {
margin-top: 8px;
}
.widget-areabwrap .widget ul > li:last-child {
padding-bottom: 0;
}
.widget-areabwrap .widget input[type="text"],
.widget-areabwrap .widget input[type="email"],
.widget-areabwrap .widget input[type="search"],
.widget-areabwrap .widget input[type="password"],
.widget-areabwrap .widget textarea {
background-color: rgba(255, 255, 255, 0.1);
border: 1px solid rgba(255, 255, 255, 0.2);
color: #fff;
max-width: 100%;
}
.widget-areabwrap button,
.widget-areabwrap html input[type="button"],
.widget-areabwrap input[type="reset"],
.widget-areabwrap input[type="submit"] {
border: 1px solid rgba(255, 255, 255, 0.2);
padding: 10px 22px;
}
.widget-areabwrap button:hover,
.widget-areabwrap html input[type="button"]:hover,
.widget-areabwrap input[type="reset"]:hover,
.widget-areabwrap input[type="submit"]:hover,
.widget-areabwrap button:focus,
.widget-areabwrap html input[type="button"]:focus,
.widget-areabwrap input[type="reset"]:focus,
.widget-areabwrap input[type="submit"]:focus {
background-color: rgba(255, 255, 255, 0.1);
}
.widget select,
.widget iframe {
max-width: 99%;
margin-left: 1px;
margin-left: 0.1rem;
}
.widget-areabwrap .widget:last-child,
.widget-areabwrap .widget div:last-child,
.widget-areabwrap .widget table:last-child,
.widget-areabwrap .widget iframe:last-child,
.widget-areabwrap .widget p:last-child {
margin-bottom: 0;
}
.widget-areabwrap .widget .avatar {
border-radius: 50%;
}
/* Search widget */
.widget_search #s {
width: 100%;
}
.widget_search .submit {
display: none;
}
/* Text Widget */
.widget_text a {
border-bottom: 1px dotted #fff;
}
.widget_text a:hover {
border-style: solid;
}
/* Twitter Widget */
.widget_twitter iframe {
margin-top: 17px;
}
/* =Media Queries
----------------------------------------------- */
@media screen and (min-width: 312px) {
#secondarybwrap {
max-width: 288px;
}
}
@media screen and (min-width: 456px) {
[class*="navigation"] .text-nav {
display: block;
}
}
@media screen and (min-width: 600px) {
#secondarybwrap.one {
max-width: 288px;
}
#secondarybwrap {
max-width: 576px;
}
#secondarybwrap .widget-areabwrap:nth-child(3) {
clear: both;
}
}
@media screen and (min-width: 888px) {
.entry-content,
.entry-summary,
article.attachment .entry-caption {
float: left;
}
.entry-format-badge {
margin: 0 0 34px 144px;
}
#secondarybwrap.two {
max-width: 576px;
}
#secondarybwrap {
max-width: 864px;
}
#secondarybwrap .widget-areabwrap:nth-child(3) {
clear: none;
}
#secondarybwrap .widget-areabwrap:nth-child(4) {
clear: both;
}
}
@media screen and (min-width: 1032px) {
.wrapbwrap {
max-width: 984px;
}
.bpostcategories-links {
max-width: 912px;
}
.entry-format-badge {
display: block;
float: right;
margin: 34px 0 0;
}
}
/** @media screen and (min-width: 1176px) {
.bpostcategories-links {
max-width: 984px;
}
#secondarybwrap.three {
max-width: 864px;
}
#secondarybwrap {
max-width: 1152px;
}
#secondarybwrap .widget-areabwrap:nth-child(4) {
clear: none;
}
} */
@media screen and (max-width: 600px) {
body,
button,
input,
select,
textarea {
font-size: 18px;
line-height: 1.4166666667;
}
#mastheadbwrap img[src*="gravatar"] {
width: 72px;
height: 72px;
}
blockquote p {
font-size: 34px;
font-weight: 400;
line-height: 1;
margin-bottom: 34px;
}
.hentry {
padding: 34px 0 20px;
}
.entry-title {
font-size: 35px;
}
.entry-content,
.entry-summary {
margin-top: 17px;
}
.site-contentbwrap [class*="navigation"],
#comments {
padding: 34px 0;
}
.img-wrapper {
width: 100%;
margin: 0;
}
.entry-wrapper {
width: 100%;
}
#secondarybwrap > div {
width: 100%;
}
}
@media screen and (max-width: 456px) {
.entry-title {
font-size: 34px;
}
.bpostcategories-links {
font-size: 13px;
line-height: 1.3076923076;
}
}
h2.date-header {
margin: 1.5em 0 0.5em;
display: none;
}
.main .widget {
margin: 0 0 5px;
padding: 0 0 2px;
}
.main .Blog {
border-bottom-width: 0;
}
#header .description {
}
/* Comments----------------------------------------------- */
#comments {
padding: 10px 20px;
margin-bottom: 20px;
}
#comments h4 {
font-size: 22px;
margin-bottom: 10px;
}
.deleted-comment {
font-style: italic;
color: gray;
}
#blog-pager-newer-link {
visibility: hidden;
float: left;
}
#blog-pager-older-link {
visibility: hidden;
float: right;
}
.visible {
visibility: visible !important;
}
#blog-pager {
text-align: center;
padding: 5px 10px;
margin: 10px;
display: flex;
justify-content: space-between;
}
.feed-links {
text-align: center;
clear: both;
padding: 50px 10px 10px 10px;
}
.comment-form {
}
#navbar-iframe {
height: 0;
visibility: hidden;
display: none;
}
.PopularPosts .widget-content ul li {
padding: 6px 0px;
}
.reaction-buttons table {
border: none;
margin-bottom: 5px;
}
.reaction-buttons table,
.reaction-buttons td {
border: none !important;
}
/* .pbtthumbimg {
float: left;
margin: 0px 10px 5px 5px;
padding: 4px;
} */
.status-msg-wrap {
margin: 20px auto 10px auto;
}
#header-inner {
padding: 30px;
}
.CSS_LAYOUT_COMPONENT {
color: rgba(0,0,0,0) !important;
}
.CSS_LAYOUT_COMPONENT.CSS_LIGHTBOX_ATTRIBUTION_INDEX_CONTAINER > .CSS_HCONT_CHILDREN_HOLDER {
display: flex;
align-items: center;
}

--></style>
<script src='https://ajax.googleapis.com/ajax/libs/jquery/1.11.0/jquery.min.js' type='text/javascript'></script>
<script type='text/javascript'>
//<![CDATA[

/*! jQuery Migrate v1.2.1 | (c) 2005, 2013 jQuery Foundation, Inc. and other contributors | jquery.org/license */
jQuery.migrateMute===void 0&&(jQuery.migrateMute=!0),function(e,t,n){function r(n){var r=t.console;i[n]||(i[n]=!0,e.migrateWarnings.push(n),r&&r.warn&&!e.migrateMute&&(r.warn("JQMIGRATE: "+n),e.migrateTrace&&r.trace&&r.trace()))}function a(t,a,i,o){if(Object.defineProperty)try{return Object.defineProperty(t,a,{configurable:!0,enumerable:!0,get:function(){return r(o),i},set:function(e){r(o),i=e}}),n}catch(s){}e._definePropertyBroken=!0,t[a]=i}var i={};e.migrateWarnings=[],!e.migrateMute&&t.console&&t.console.log&&t.console.log("JQMIGRATE: Logging is active"),e.migrateTrace===n&&(e.migrateTrace=!0),e.migrateReset=function(){i={},e.migrateWarnings.length=0},"BackCompat"===document.compatMode&&r("jQuery is not compatible with Quirks Mode");var o=e("<input/>",{size:1}).attr("size")&&e.attrFn,s=e.attr,u=e.attrHooks.value&&e.attrHooks.value.get||function(){return null},c=e.attrHooks.value&&e.attrHooks.value.set||function(){return n},l=/^(?:input|button)$/i,d=/^[238]$/,p=/^(?:autofocus|autoplay|async|checked|controls|defer|disabled|hidden|loop|multiple|open|readonly|required|scoped|selected)$/i,f=/^(?:checked|selected)$/i;a(e,"attrFn",o||{},"jQuery.attrFn is deprecated"),e.attr=function(t,a,i,u){var c=a.toLowerCase(),g=t&&t.nodeType;return u&&(4>s.length&&r("jQuery.fn.attr( props, pass ) is deprecated"),t&&!d.test(g)&&(o?a in o:e.isFunction(e.fn[a])))?e(t)[a](i):("type"===a&&i!==n&&l.test(t.nodeName)&&t.parentNode&&r("Can't change the 'type' of an input or button in IE 6/7/8"),!e.attrHooks[c]&&p.test(c)&&(e.attrHooks[c]={get:function(t,r){var a,i=e.prop(t,r);return i===!0||"boolean"!=typeof i&&(a=t.getAttributeNode(r))&&a.nodeValue!==!1?r.toLowerCase():n},set:function(t,n,r){var a;return n===!1?e.removeAttr(t,r):(a=e.propFix[r]||r,a in t&&(t[a]=!0),t.setAttribute(r,r.toLowerCase())),r}},f.test(c)&&r("jQuery.fn.attr('"+c+"') may use property instead of attribute")),s.call(e,t,a,i))},e.attrHooks.value={get:function(e,t){var n=(e.nodeName||"").toLowerCase();return"button"===n?u.apply(this,arguments):("input"!==n&&"option"!==n&&r("jQuery.fn.attr('value') no longer gets properties"),t in e?e.value:null)},set:function(e,t){var a=(e.nodeName||"").toLowerCase();return"button"===a?c.apply(this,arguments):("input"!==a&&"option"!==a&&r("jQuery.fn.attr('value', val) no longer sets properties"),e.value=t,n)}};var g,h,v=e.fn.init,m=e.parseJSON,y=/^([^<]*)(<[\w\W]+>)([^>]*)$/;e.fn.init=function(t,n,a){var i;return t&&"string"==typeof t&&!e.isPlainObject(n)&&(i=y.exec(e.trim(t)))&&i[0]&&("<"!==t.charAt(0)&&r("$(html) HTML strings must start with '<' character"),i[3]&&r("$(html) HTML text after last tag is ignored"),"#"===i[0].charAt(0)&&(r("HTML string cannot start with a '#' character"),e.error("JQMIGRATE: Invalid selector string (XSS)")),n&&n.context&&(n=n.context),e.parseHTML)?v.call(this,e.parseHTML(i[2],n,!0),n,a):v.apply(this,arguments)},e.fn.init.prototype=e.fn,e.parseJSON=function(e){return e||null===e?m.apply(this,arguments):(r("jQuery.parseJSON requires a valid JSON string"),null)},e.uaMatch=function(e){e=e.toLowerCase();var t=/(chrome)[ \/]([\w.]+)/.exec(e)||/(webkit)[ \/]([\w.]+)/.exec(e)||/(opera)(?:.*version|)[ \/]([\w.]+)/.exec(e)||/(msie) ([\w.]+)/.exec(e)||0>e.indexOf("compatible")&&/(mozilla)(?:.*? rv:([\w.]+)|)/.exec(e)||[];return{browser:t[1]||"",version:t[2]||"0"}},e.browser||(g=e.uaMatch(navigator.userAgent),h={},g.browser&&(h[g.browser]=!0,h.version=g.version),h.chrome?h.webkit=!0:h.webkit&&(h.safari=!0),e.browser=h),a(e,"browser",e.browser,"jQuery.browser is deprecated"),e.sub=function(){function t(e,n){return new t.fn.init(e,n)}e.extend(!0,t,this),t.superclass=this,t.fn=t.prototype=this(),t.fn.constructor=t,t.sub=this.sub,t.fn.init=function(r,a){return a&&a instanceof e&&!(a instanceof t)&&(a=t(a)),e.fn.init.call(this,r,a,n)},t.fn.init.prototype=t.fn;var n=t(document);return r("jQuery.sub() is deprecated"),t},e.ajaxSetup({converters:{"text json":e.parseJSON}});var b=e.fn.data;e.fn.data=function(t){var a,i,o=this[0];return!o||"events"!==t||1!==arguments.length||(a=e.data(o,t),i=e._data(o,t),a!==n&&a!==i||i===n)?b.apply(this,arguments):(r("Use of jQuery.fn.data('events') is deprecated"),i)};var j=/\/(java|ecma)script/i,w=e.fn.andSelf||e.fn.addBack;e.fn.andSelf=function(){return r("jQuery.fn.andSelf() replaced by jQuery.fn.addBack()"),w.apply(this,arguments)},e.clean||(e.clean=function(t,a,i,o){a=a||document,a=!a.nodeType&&a[0]||a,a=a.ownerDocument||a,r("jQuery.clean() is deprecated");var s,u,c,l,d=[];if(e.merge(d,e.buildFragment(t,a).childNodes),i)for(c=function(e){return!e.type||j.test(e.type)?o?o.push(e.parentNode?e.parentNode.removeChild(e):e):i.appendChild(e):n},s=0;null!=(u=d[s]);s++)e.nodeName(u,"script")&&c(u)||(i.appendChild(u),u.getElementsByTagName!==n&&(l=e.grep(e.merge([],u.getElementsByTagName("script")),c),d.splice.apply(d,[s+1,0].concat(l)),s+=l.length));return d});var Q=e.event.add,x=e.event.remove,k=e.event.trigger,N=e.fn.toggle,T=e.fn.live,M=e.fn.die,S="ajaxStart|ajaxStop|ajaxSend|ajaxComplete|ajaxError|ajaxSuccess",C=RegExp("\\b(?:"+S+")\\b"),H=/(?:^|\s)hover(\.\S+|)\b/,A=function(t){return"string"!=typeof t||e.event.special.hover?t:(H.test(t)&&r("'hover' pseudo-event is deprecated, use 'mouseenter mouseleave'"),t&&t.replace(H,"mouseenter$1 mouseleave$1"))};e.event.props&&"attrChange"!==e.event.props[0]&&e.event.props.unshift("attrChange","attrName","relatedNode","srcElement"),e.event.dispatch&&a(e.event,"handle",e.event.dispatch,"jQuery.event.handle is undocumented and deprecated"),e.event.add=function(e,t,n,a,i){e!==document&&C.test(t)&&r("AJAX events should be attached to document: "+t),Q.call(this,e,A(t||""),n,a,i)},e.event.remove=function(e,t,n,r,a){x.call(this,e,A(t)||"",n,r,a)},e.fn.error=function(){var e=Array.prototype.slice.call(arguments,0);return r("jQuery.fn.error() is deprecated"),e.splice(0,0,"error"),arguments.length?this.bind.apply(this,e):(this.triggerHandler.apply(this,e),this)},e.fn.toggle=function(t,n){if(!e.isFunction(t)||!e.isFunction(n))return N.apply(this,arguments);r("jQuery.fn.toggle(handler, handler...) is deprecated");var a=arguments,i=t.guid||e.guid++,o=0,s=function(n){var r=(e._data(this,"lastToggle"+t.guid)||0)%o;return e._data(this,"lastToggle"+t.guid,r+1),n.preventDefault(),a[r].apply(this,arguments)||!1};for(s.guid=i;a.length>o;)a[o++].guid=i;return this.click(s)},e.fn.live=function(t,n,a){return r("jQuery.fn.live() is deprecated"),T?T.apply(this,arguments):(e(this.context).on(t,this.selector,n,a),this)},e.fn.die=function(t,n){return r("jQuery.fn.die() is deprecated"),M?M.apply(this,arguments):(e(this.context).off(t,this.selector||"**",n),this)},e.event.trigger=function(e,t,n,a){return n||C.test(e)||r("Global events are undocumented and deprecated"),k.call(this,e,t,n||document,a)},e.each(S.split("|"),function(t,n){e.event.special[n]={setup:function(){var t=this;return t!==document&&(e.event.add(document,n+"."+e.guid,function(){e.event.trigger(n,null,t,!0)}),e._data(this,n,e.guid++)),!1},teardown:function(){return this!==document&&e.event.remove(document,n+"."+e._data(this,n)),!1}}})}(jQuery,window);

//]]>
</script>
<script type='text/javascript'>
//<![CDATA[

function showrecentcomments(json){for(var i=0;i<a_rc;i++){var b_rc=json.feed.entry[i];var c_rc;if(i==json.feed.entry.length)break;for(var k=0;k<b_rc.link.length;k++){if(b_rc.link[k].rel=='alternate'){c_rc=b_rc.link[k].href;break;}}c_rc=c_rc.replace("#","#comment-");var d_rc=c_rc.split("#");d_rc=d_rc[0];var e_rc=d_rc.split("/");e_rc=e_rc[5];e_rc=e_rc.split(".html");e_rc=e_rc[0];var f_rc=e_rc.replace(/-/g," ");f_rc=f_rc.link(d_rc);var g_rc=b_rc.published.$t;var h_rc=g_rc.substring(0,4);var i_rc=g_rc.substring(5,7);var j_rc=g_rc.substring(8,10);var k_rc=new Array();k_rc[1]="Jan";k_rc[2]="Feb";k_rc[3]="Mar";k_rc[4]="Apr";k_rc[5]="May";k_rc[6]="Jun";k_rc[7]="Jul";k_rc[8]="Aug";k_rc[9]="Sep";k_rc[10]="Oct";k_rc[11]="Nov";k_rc[12]="Dec";if("content" in b_rc){var l_rc=b_rc.content.$t;}else if("summary" in b_rc){var l_rc=b_rc.summary.$t;}else var l_rc="";var re=/<\S[^>]*>/g;l_rc=l_rc.replace(re,"");if(m_rc==true)document.write('On '+k_rc[parseInt(i_rc,10)]+' '+j_rc+' ');document.write('<a href="'+c_rc+'">'+b_rc.author[0].name.$t+'</a> commented');if(n_rc==true)document.write(' on '+f_rc);document.write(': ');if(l_rc.length<o_rc){document.write('<i>&#8220;');document.write(l_rc);document.write('&#8221;</i><br/><br/>');}else{document.write('<i>&#8220;');l_rc=l_rc.substring(0,o_rc);var p_rc=l_rc.lastIndexOf(" ");l_rc=l_rc.substring(0,p_rc);document.write(l_rc+'&hellip;&#8221;</i>');document.write('<br/><br/>');}}}

function rp(json){document.write('<ul>');for(var i=0;i<numposts;i++){document.write('<li>');var entry=json.feed.entry[i];var posttitle=entry.title.$t;var posturl;if(i==json.feed.entry.length)break;for(var k=0;k<entry.link.length;k++){if(entry.link[k].rel=='alternate'){posturl=entry.link[k].href;break}}posttitle=posttitle.link(posturl);var readmorelink="(more)";readmorelink=readmorelink.link(posturl);var postdate=entry.published.$t;var cdyear=postdate.substring(0,4);var cdmonth=postdate.substring(5,7);var cdday=postdate.substring(8,10);var monthnames=new Array();monthnames[1]="Jan";monthnames[2]="Feb";monthnames[3]="Mar";monthnames[4]="Apr";monthnames[5]="May";monthnames[6]="Jun";monthnames[7]="Jul";monthnames[8]="Aug";monthnames[9]="Sep";monthnames[10]="Oct";monthnames[11]="Nov";monthnames[12]="Dec";if("content"in entry){var postcontent=entry.content.$t}else if("summary"in entry){var postcontent=entry.summary.$t}else var postcontent="";var re=/<\S[^>]*>/g;postcontent=postcontent.replace(re,"");document.write(posttitle);if(showpostdate==true)document.write(' - '+monthnames[parseInt(cdmonth,10)]+' '+cdday);if(showpostsummary==true){if(postcontent.length<numchars){document.write(postcontent)}else{postcontent=postcontent.substring(0,numchars);var quoteEnd=postcontent.lastIndexOf(" ");postcontent=postcontent.substring(0,quoteEnd);document.write(postcontent+'...'+readmorelink)}}document.write('</li>')}document.write('</ul>')}

//]]>
</script>
<script type='text/javascript'>
summary_noimg = 400;
summary_img = 300;
img_thumb_height = 150;
img_thumb_width = 200;
</script>
<script type='text/javascript'>
//<![CDATA[

function removeHtmlTag(strx,chop){
if(strx.indexOf("<")!=-1)
{
var s = strx.split("<");
for(var i=0;i<s.length;i++){
if(s[i].indexOf(">")!=-1){
s[i] = s[i].substring(s[i].indexOf(">")+1,s[i].length);
}
}
strx =  s.join("");
}
chop = (chop < strx.length-1) ? chop : strx.length-2;
while(strx.charAt(chop-1)!=' ' && strx.indexOf(' ',chop)!=-1) chop++;
strx = strx.substring(0,chop-1);
return strx+'...';
}

function createSummaryAndThumb(pID){
var summaryDiv = document.getElementById('summary' + pID);
var imgtag = "";
var img = summaryDiv.getElementsByTagName("img");
var summ = summary_noimg;
if(img.length>=1) {
imgtag = '<img src="'+img[0].src+'" class="pbtthumbimg"/>';
summ = summary_img;
}

var summary = '<div>' + removeHtmlTag(summaryDiv.innerHTML,summ) + '</div>';
summaryDiv.innerHTML = summary;

if(imgtag) {
var entryDiv = document.querySelector('#entry' + pID);
entryDiv.innerHTML = "<div class='img-wrapper'>" + imgtag + "</div>" + entryDiv.innerHTML;
var entryWrapper = entryDiv.getElementsByClassName('entry-wrapper')[0];
}
}

function removeFormatting(node) {
  node.removeAttribute('style');
  Array.from(node.children).forEach(child => {
    removeFormatting(child);
  });
}

//]]>
</script>
<style id='custom-background-css' type='text/css'>
body.custom-background {background-color:#fff;}
</style>
<link href='https://www.blogger.com/dyn-css/authorization.css?targetBlogID=6871606241422173914&amp;zx=ec801aa7-99fb-48d6-a88e-c7ea38d1d783' media='none' onload='if(media!=&#39;all&#39;)media=&#39;all&#39;' rel='stylesheet'/><noscript><link href='https://www.blogger.com/dyn-css/authorization.css?targetBlogID=6871606241422173914&amp;zx=ec801aa7-99fb-48d6-a88e-c7ea38d1d783' rel='stylesheet'/></noscript>
<meta name='google-adsense-platform-account' content='ca-host-pub-1556223355139109'/>
<meta name='google-adsense-platform-domain' content='blogspot.com'/>

<script type="text/javascript" language="javascript">
  // Supply ads personalization default for EEA readers
  // See https://www.blogger.com/go/adspersonalization
  adsbygoogle = window.adsbygoogle || [];
  if (typeof adsbygoogle.requestNonPersonalizedAds === 'undefined') {
    adsbygoogle.requestNonPersonalizedAds = 1;
  }
</script>


</head>
<body class='custom-background'>
<div id='pagebwrap'>
<div class='toppanel hide' id='widgets-wrapperbwrap'>
<div class='wrapbwrap clearnbt four' id='secondarybwrap' role='complementary'>
<div class='widget-areabwrap' id='top-sidebar-one' role='complementary'>
<div class='topsidebarsec1 section' id='topsidebarsec1'><div class='widget PopularPosts' data-version='1' id='PopularPosts1'>
<h2>Popular Posts</h2>
<div class='widget-content popular-posts'>
<ul>
<li>
<div class='item-content'>
<div class='item-title'><a href='https://blog.virustotal.com/2012/09/an-update-from-virustotal.html'>An update from VirusTotal</a></div>
<div class='item-snippet'>Our goal is simple: to help keep you safe on the web. And we&#8217;ve worked hard to ensure that the services we offer continually improve. But as...</div>
</div>
<div style='clear: both;'></div>
</li>
<li>
<div class='item-content'>
<div class='item-thumbnail'>
<a href='https://blog.virustotal.com/2023/04/introducing-virustotal-code-insight.html' target='_blank'>
<img alt='' border='0' height='72' src='https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVe_KvGqMaBfZij2Z25EFpNCQ1II6eaHV6br752nx2XDcCpyjyyqDaDREfWbERep3lGqXmRTk7tRJ6iwR6bQfjgkL9YdfC5GgXw-WTvDtadeu_PCxHUl8zlmt1XDwjOvCE77no6gy9MGmjHcorLvAeFtDQlQvFMDQ0ojB4Fpv5YuJWnX3Pd6HdcWnQ/s72-c/ci-1.png' width='72'/>
</a>
</div>
<div class='item-title'><a href='https://blog.virustotal.com/2023/04/introducing-virustotal-code-insight.html'>Introducing VirusTotal Code Insight: Empowering threat analysis with generative AI</a></div>
<div class='item-snippet'>At the RSA Conference 2023 today, we are excited to unveil VirusTotal Code Insight, a cutting-edge feature that leverages artificial intelli...</div>
</div>
<div style='clear: both;'></div>
</li>
<li>
<div class='item-content'>
<div class='item-thumbnail'>
<a href='https://blog.virustotal.com/2022/03/vt4browsers-any-indicator-every-detail.html' target='_blank'>
<img alt='' border='0' height='72' src='https://lh4.googleusercontent.com/z5bDTIvzGKiSbz_NpNSPsyWzhtbKqUVPYjoyA8JyZBymYQSLmpKfIcQMpHD6PgAJQvuYkPePZuquLdqjJUlKwuAxWg_QWuPD9b-QilPWQjSU--Wph99DB5GkhjuSHvpow2Z-HAXSwQ=s72-c' width='72'/>
</a>
</div>
<div class='item-title'><a href='https://blog.virustotal.com/2022/03/vt4browsers-any-indicator-every-detail.html'>VT4Browsers++ Any indicator, every detail, anywhere</a></div>
<div class='item-snippet'>TL;DR: VirusTotal&#8217;s browser extension can now automatically identify IoCs in any website and enrich them with superior context from our crow...</div>
</div>
<div style='clear: both;'></div>
</li>
</ul>
<div class='clear'></div>
</div>
</div></div>
</div>
<div class='widget-areabwrap' id='top-sidebar-four' role='complementary'>
<div class='topsidebarsec4 section' id='topsidebarsec4'><div class='widget BlogArchive' data-version='1' id='BlogArchive1'>
<h2>Blog Archive</h2>
<div class='widget-content'>
<div id='ArchiveList'>
<div id='BlogArchive1_ArchiveList'>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2024/'>2024</a>
<span class='post-count' dir='ltr'>(4)</span>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2024/02/'>February 2024</a>
<span class='post-count' dir='ltr'>(2)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2024/01/'>January 2024</a>
<span class='post-count' dir='ltr'>(2)</span>
</li>
</ul>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate expanded'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy toggle-open'>&#9660;&#160;</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2023/'>2023</a>
<span class='post-count' dir='ltr'>(35)</span>
<ul class='hierarchy'>
<li class='archivedate expanded'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy toggle-open'>&#9660;&#160;</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2023/12/'>December 2023</a>
<span class='post-count' dir='ltr'>(5)</span>
<ul class='posts'>
<li><a href='https://blog.virustotal.com/2023/12/hunting-for-malicious-domains-with-vt.html'>Hunting for malicious domains with VT Intelligence</a></li>
<li><a href='https://blog.virustotal.com/2023/12/sigma-rules-for-linux-and-macos_20.html'>Sigma rules for Linux and MacOS</a></li>
<li><a href='https://blog.virustotal.com/2023/12/protecting-perimeter-with-vt_18.html'>Protecting the perimeter with VT Intelligence - ma...</a></li>
<li><a href='https://blog.virustotal.com/2023/12/protecting-perimeter-with-vt.html'>Protecting the perimeter with VT Intelligence - Em...</a></li>
<li><a href='https://blog.virustotal.com/2023/12/vtmondays-index.html'>VTMondays</a></li>
</ul>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2023/11/'>November 2023</a>
<span class='post-count' dir='ltr'>(3)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2023/10/'>October 2023</a>
<span class='post-count' dir='ltr'>(2)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2023/09/'>September 2023</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2023/08/'>August 2023</a>
<span class='post-count' dir='ltr'>(2)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2023/07/'>July 2023</a>
<span class='post-count' dir='ltr'>(5)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2023/06/'>June 2023</a>
<span class='post-count' dir='ltr'>(5)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2023/05/'>May 2023</a>
<span class='post-count' dir='ltr'>(3)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2023/04/'>April 2023</a>
<span class='post-count' dir='ltr'>(3)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2023/03/'>March 2023</a>
<span class='post-count' dir='ltr'>(2)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2023/02/'>February 2023</a>
<span class='post-count' dir='ltr'>(2)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2023/01/'>January 2023</a>
<span class='post-count' dir='ltr'>(2)</span>
</li>
</ul>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2022/'>2022</a>
<span class='post-count' dir='ltr'>(23)</span>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2022/12/'>December 2022</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2022/11/'>November 2022</a>
<span class='post-count' dir='ltr'>(6)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2022/10/'>October 2022</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2022/09/'>September 2022</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2022/08/'>August 2022</a>
<span class='post-count' dir='ltr'>(3)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2022/07/'>July 2022</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2022/05/'>May 2022</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2022/04/'>April 2022</a>
<span class='post-count' dir='ltr'>(2)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2022/03/'>March 2022</a>
<span class='post-count' dir='ltr'>(3)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2022/02/'>February 2022</a>
<span class='post-count' dir='ltr'>(2)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2022/01/'>January 2022</a>
<span class='post-count' dir='ltr'>(2)</span>
</li>
</ul>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2021/'>2021</a>
<span class='post-count' dir='ltr'>(19)</span>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2021/12/'>December 2021</a>
<span class='post-count' dir='ltr'>(2)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2021/11/'>November 2021</a>
<span class='post-count' dir='ltr'>(4)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2021/10/'>October 2021</a>
<span class='post-count' dir='ltr'>(3)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2021/09/'>September 2021</a>
<span class='post-count' dir='ltr'>(2)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2021/08/'>August 2021</a>
<span class='post-count' dir='ltr'>(2)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2021/07/'>July 2021</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2021/05/'>May 2021</a>
<span class='post-count' dir='ltr'>(2)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2021/03/'>March 2021</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2021/02/'>February 2021</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2021/01/'>January 2021</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2020/'>2020</a>
<span class='post-count' dir='ltr'>(15)</span>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2020/12/'>December 2020</a>
<span class='post-count' dir='ltr'>(2)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2020/11/'>November 2020</a>
<span class='post-count' dir='ltr'>(3)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2020/10/'>October 2020</a>
<span class='post-count' dir='ltr'>(2)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2020/08/'>August 2020</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2020/06/'>June 2020</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2020/05/'>May 2020</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2020/02/'>February 2020</a>
<span class='post-count' dir='ltr'>(3)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2020/01/'>January 2020</a>
<span class='post-count' dir='ltr'>(2)</span>
</li>
</ul>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2019/'>2019</a>
<span class='post-count' dir='ltr'>(19)</span>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2019/11/'>November 2019</a>
<span class='post-count' dir='ltr'>(2)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2019/10/'>October 2019</a>
<span class='post-count' dir='ltr'>(4)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2019/07/'>July 2019</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2019/06/'>June 2019</a>
<span class='post-count' dir='ltr'>(2)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2019/05/'>May 2019</a>
<span class='post-count' dir='ltr'>(3)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2019/04/'>April 2019</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2019/03/'>March 2019</a>
<span class='post-count' dir='ltr'>(2)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2019/02/'>February 2019</a>
<span class='post-count' dir='ltr'>(2)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2019/01/'>January 2019</a>
<span class='post-count' dir='ltr'>(2)</span>
</li>
</ul>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2018/'>2018</a>
<span class='post-count' dir='ltr'>(10)</span>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2018/12/'>December 2018</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2018/11/'>November 2018</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2018/06/'>June 2018</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2018/05/'>May 2018</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2018/04/'>April 2018</a>
<span class='post-count' dir='ltr'>(3)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2018/03/'>March 2018</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2018/01/'>January 2018</a>
<span class='post-count' dir='ltr'>(2)</span>
</li>
</ul>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2017/'>2017</a>
<span class='post-count' dir='ltr'>(13)</span>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2017/11/'>November 2017</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2017/10/'>October 2017</a>
<span class='post-count' dir='ltr'>(2)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2017/09/'>September 2017</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2017/08/'>August 2017</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2017/07/'>July 2017</a>
<span class='post-count' dir='ltr'>(2)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2017/03/'>March 2017</a>
<span class='post-count' dir='ltr'>(4)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2017/02/'>February 2017</a>
<span class='post-count' dir='ltr'>(2)</span>
</li>
</ul>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2016/'>2016</a>
<span class='post-count' dir='ltr'>(6)</span>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2016/11/'>November 2016</a>
<span class='post-count' dir='ltr'>(2)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2016/08/'>August 2016</a>
<span class='post-count' dir='ltr'>(2)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2016/05/'>May 2016</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2016/01/'>January 2016</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2015/'>2015</a>
<span class='post-count' dir='ltr'>(8)</span>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2015/11/'>November 2015</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2015/10/'>October 2015</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2015/06/'>June 2015</a>
<span class='post-count' dir='ltr'>(2)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2015/04/'>April 2015</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2015/02/'>February 2015</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2015/01/'>January 2015</a>
<span class='post-count' dir='ltr'>(2)</span>
</li>
</ul>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2014/'>2014</a>
<span class='post-count' dir='ltr'>(24)</span>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2014/12/'>December 2014</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2014/11/'>November 2014</a>
<span class='post-count' dir='ltr'>(3)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2014/10/'>October 2014</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2014/09/'>September 2014</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2014/07/'>July 2014</a>
<span class='post-count' dir='ltr'>(6)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2014/06/'>June 2014</a>
<span class='post-count' dir='ltr'>(4)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2014/05/'>May 2014</a>
<span class='post-count' dir='ltr'>(4)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2014/02/'>February 2014</a>
<span class='post-count' dir='ltr'>(3)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2014/01/'>January 2014</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2013/'>2013</a>
<span class='post-count' dir='ltr'>(26)</span>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2013/11/'>November 2013</a>
<span class='post-count' dir='ltr'>(2)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2013/10/'>October 2013</a>
<span class='post-count' dir='ltr'>(7)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2013/09/'>September 2013</a>
<span class='post-count' dir='ltr'>(4)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2013/06/'>June 2013</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2013/05/'>May 2013</a>
<span class='post-count' dir='ltr'>(2)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2013/04/'>April 2013</a>
<span class='post-count' dir='ltr'>(5)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2013/03/'>March 2013</a>
<span class='post-count' dir='ltr'>(2)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2013/02/'>February 2013</a>
<span class='post-count' dir='ltr'>(2)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2013/01/'>January 2013</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2012/'>2012</a>
<span class='post-count' dir='ltr'>(26)</span>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2012/12/'>December 2012</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2012/11/'>November 2012</a>
<span class='post-count' dir='ltr'>(4)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2012/10/'>October 2012</a>
<span class='post-count' dir='ltr'>(2)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2012/09/'>September 2012</a>
<span class='post-count' dir='ltr'>(3)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2012/08/'>August 2012</a>
<span class='post-count' dir='ltr'>(2)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2012/07/'>July 2012</a>
<span class='post-count' dir='ltr'>(2)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2012/06/'>June 2012</a>
<span class='post-count' dir='ltr'>(6)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2012/05/'>May 2012</a>
<span class='post-count' dir='ltr'>(2)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2012/04/'>April 2012</a>
<span class='post-count' dir='ltr'>(2)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2012/03/'>March 2012</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2012/02/'>February 2012</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2011/'>2011</a>
<span class='post-count' dir='ltr'>(1)</span>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

          &#9658;&#160;
        
</span>
</a>
<a class='post-count-link' href='https://blog.virustotal.com/2011/12/'>December 2011</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
</li>
</ul>
</div>
</div>
<div class='clear'></div>
</div>
</div></div>
</div>
</div><!-- #secondary -->
</div>
<div class='toppanel hide' id='social-links-wrapper'>
<ul class='social-linksbwrap clearnbt'>
<li class='twitter-link'>
<a href='https://twitter.com/virustotal' target='_blank' title='Twitter'>
<span class='screen-reader-text'>Twitter</span>
</a>
</li>
<li class='github-link'>
<a href='https://github.com/virustotal' target='_blank' title='Github'>
<span class='screen-reader-text'>Github</span>
</a>
</li>
<li class='youtube-link'>
<a href='https://www.youtube.com/channel/UCtAMAhDoU2O7McrwtySrDsg' target='_blank' title='YouTube'>
<span class='screen-reader-text'>YouTube</span>
</a>
</li>
</ul>
</div>
<div class='toppanel hide' id='search-wrapperbwrap'>
<form action='https://blog.virustotal.com/search/' class='searchform' id='searchform' method='get' role='search'>
<label class='screen-reader-text' for='s'>Search</label>
<input class='field' id='s' name='q' placeholder='Search' type='search' value=''/>
<input class='submit' id='searchsubmit' type='submit' value='Search'/>
</form>
</div>
<div id='triggers-wrapperbwrap'>
<ul class='triggersbwrap clearnbt'>
<li class='widgets-triggerbwrap'>
<a class='genericon' href='#' title='Widgets'>
<span class='screen-reader-text'>Widgets</span>
</a>
</li>
<li class='social-links-triggerbwrap'>
<a class='genericon' href='#' title='Connect'>
<span class='screen-reader-text'>Connect</span>
</a>
</li>
<li class='search-triggerbwrap'>
<a class='genericon' href='#' title='Search'>
<span class='screen-reader-text'>Search</span>
</a>
</li>
</ul>
</div>
<header class='site-headerbwrap' id='mastheadbwrap' role='banner'>
<div class='wrapbwrap'>
<div class='mastheadbwrapgroup'>
<div class='headersec section' id='headersec'><div class='widget Header' data-version='1' id='Header1'>
<div id='header-inner'>
<a href='https://blog.virustotal.com/' style='display: inline-block'>
<img alt="VirusTotal Blog" id="Header1_headerimg" src="//1.bp.blogspot.com/-eNrJ344ipwk/XlaW63OVy9I/AAAAAAAAAF8/anLh0cnZwE8cYShNrki1m_Qm9Jx8Hw-5ACK4BGAYYCw/s1600/Logo_VT_Horizontal.png" width="400px">
</a>
</div>
</div></div>
</div>
</div><!-- .wrap -->
</header><!-- #masthead -->
<div class='site-mainbwrap' id='mainbwrap'>
<div class='content-areabwrap' id='primarybwrap'>
<div class='site-contentbwrap' id='contentbwrap' role='main'>
<div class='mainblogsec section' id='mainblogsec'><div class='widget Blog' data-version='1' id='Blog1'>
<div class='blog-posts hfeed'>
<!--Can't find substitution for tag [defaultAdStart]-->

          <div class="date-outer">
        
<h2 class='date-header'><span>Wednesday, December 20, 2023</span></h2>

          <div class="date-posts">
        
<div class='post-outer'>
<article class='post hentry clearnbt'>
<div class='entry-wrap wrapbwrap clearnbt' id='entry3256453252814332978'>
<div class='entry-wrapper'>
<a name='3256453252814332978'></a>
<header class='entry-header'>
<span class='bpostcategories-links'><a href='https://blog.virustotal.com/search/label/detection%20engineering' rel='tag'>detection engineering</a>, <a href='https://blog.virustotal.com/search/label/sigma' rel='tag'>sigma</a>, <a href='https://blog.virustotal.com/search/label/threat%20hunting' rel='tag'>threat hunting</a>, <a href='https://blog.virustotal.com/search/label/threat%20intelligence' rel='tag'>threat intelligence</a>, <a href='https://blog.virustotal.com/search/label/yara' rel='tag'>yara</a></span>
<h2 class='post-title entry-title'>
<a href='https://blog.virustotal.com/2023/12/sigma-rules-for-linux-and-macos_20.html'>Sigma rules for Linux and MacOS</a>
</h2>
</header>
<footer class='bpostentry-meta'>
<span class='bpostentry-date'>Wednesday, December 20, 2023</span>
<span class='bpostauthor'><a href='https://www.blogger.com/profile/15205592295367780978' rel='author' title='author profile'>Joseliyo Sánchez</a></span>
</footer>
<div class='post-header-line-1'></div>
<div class='post-body entry-content clearnbt'>
<div class="interval_12"> <b>TLDR</b>: VT Crowdsourced Sigma rules will now also match suspicious activity for macOS and Linux binaries, in addition to Windows.
</div>
<div class="interval_12"> We recently <a href="https://blog.virustotal.com/2023/06/threat-hunting-converting-sigma-to-yara.html" target="_blank">discussed</a> how to maximize the value of Sigma rules by easily converting them to YARA Livehunts. Unfortunately, at that time Sigma rules were only matched against Windows binaries. 
</div>
<div class="interval_12"> Since then, our engineering team worked hard to provide a better experience to Sigma lovers, increasing Crowdsourced Sigma rules value by extending matches to macOS and Linux samples.
</div>
<h2 style="text-align: left;">Welcome macOS and Linux</h2>
<div class="interval_12"> Although we are still working to implement Sysmon in our Linux and macOS sandboxes, we implemented new features that allow Sigma rule matching by extracting samples&#8217; runtime behavior.
</div>
<div class="interval_12"> For example, a process created in our sandbox that ends in <mark class="my-yara-code"><mark class="red">&#8220;/crontab&#8221;</mark></mark> and contains the <mark class="my-yara-code"><mark class="red">"-l"</mark></mark> parameter in the command line would match the following Sigma rule:
</div>
<div class="my-yara-code interval_12">
<p>logsource:
    <p>&nbsp;&nbsp;product: linux
        <p>&nbsp;&nbsp;category: process_creation
            <p>detection:
                <p>&nbsp;&nbsp;selection:
                    <p>&nbsp;&nbsp;&nbsp;&nbsp;Image|endswith: '/crontab'
                        <p>&nbsp;&nbsp;&nbsp;&nbsp;CommandLine|contains: ' -l'
                            <p>&nbsp;&nbsp;condition: selection

  </div>
<div class="interval_12"> We have mapped all the fields used by Sigma rules with the information offered by our sandboxes, which allowed us to map rules for image_load, process_creation and registry_set, among others.
</div>
<div class="interval_12"> This approach has limitations. However, about 54% of Crowdsourced Sigma rules for Linux and  96% for macOS are related to process creation, meaning we already have enough information to match all these with our sandboxes&#8217; output. The same happens for rules based on file creation.
</div>
<div class="interval_12"> Let&#8217;s look at some examples!
</div>
<h2 style="text-align: left;">Linux, MacOS and Windows examples
</h2>
<div class="interval_12"> The following <a href="https://www.virustotal.com/gui/file/fa9586039889b460ca92820d33cb85e410f225e55fe04f021a940735693e5a8a/details" target="_blank">shell script sample</a> matches 11 Crowdsourced Sigma Rule matches.
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/bTWJ1UA1ZZD4Rp1zveMMQnBj56Ml4m7CNrtWH5WhtyHoHeZ_jQDszTLVAzzMceuWMx6Ca8KuBfZohKHmbBvL4GXs54q5Ioh3BB8S_fpZBraBPB3hTZnQkjwbC6VDTaAjuKQTsaxIlY47PwEq0ShTu6a8UL3Z-JRQbkf4-cXBMvv1LGHiWc57ouscO9y4SK0PZdj0CqzFqZnbvLlZDlNUoKWYoV7KioE16SOr7w" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
<div class="interval_12"> For every rule, it is possible to check what triggered the match by clicking on "View matches&#8221;. In the case of Windows binaries, it would show what Sysmon event matched the behavior described in the Sigma rule, as we can see below:
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/nH37fyOS9lB4SH9qzIPAK1yTKLJbS-MCJi7qeWjswE9dhWkogvY5br3uA-J2yPoDF9KYFgupIoA5k5YrG9ZzWwhNIdadZHk-xwJZg_zTUM7DTqeA6nqwMtg2o4sGnL38ZkzhB3Pd8MFf8BI-xN5oTQ0Ol-yMAtkww-xEPK5drozKGfysVmADlLUOuUwer9oGtl0gqz7c-mZXTbez9Rt492v3fTJADgURaO6ydg" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
<div class="interval_12"> In the case of the shell script mentioned above, it shows the values that are relevant to the logic of the rule as you can see in the following image:
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/iBVwMpjLAzwLYgV7s-PHZfaTDmuE2ISh-lBEGrLFcFgNIpQ7-f3B2vm4a8R_cEWM5Uax6v3xWT35reZbqurLjx90n-8asI2l1Pxdp41-xEFj0H3Sz99dHzJYtH6kgd54Gw3NvrKWr2UGCI588Ou4QpCZL5VGJnV5q1SddyyPRK6cPezRfFFCB6DVVT7HsB3xrc_FoRkickpOYVcO5F6z-oO6xHemiuSPM5p-eg" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
<div class="interval_12"> Interestingly, Sigma rules intended for Linux also produce results in macOS environments, and vice versa. In this case, the shell script can be interpreted by both operating systems. Indeed, one of the matching rules for the sample called <a href="https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_clear_system_logs.yml" target="_blank">Indicator Removal on Host - Clear Mac System Logs</a> was specifically created for macOS: 
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/IU3OM1Nz14k8Pdkaqpi5RWHGc9NjWAHoPKGCL90esa0QZMQb1ZhWqRTDqnVd6vJgCvNpso8PHNQJT2hwmjOrhJRCencqP93ABVfLas7udwAnUCx7gH-svk8LICqcHhZDhodxd5PyVL-oEcAOCx8j40JYMU8d4Iq7Pe-mUh_3IvxIcm20_ChTS7294F-GdclSfNPL19773yuw75SEvOXRruSBYi6NuHMvCtlW3g" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
<div class="interval_12"> while a second matching rule, <a href="https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml" target="_blank">Commands to Clear or Remove the Syslog </a>, was created for Linux:
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/I83iS3D0wpyQu8TFf0n4dlf153RAfdvIRl8iMWb-sm1NMY8t3P8wwJ3Ixr2rO8gmzAaYHdz7hXuUsRDGzxi_UYuD6OFu3pKsXMXe8KbbDeaAL0tBWfDgcGICAE-irxXsdNRR9kkLDsWsSaXx-5tcdallNMpmYuc-m1GZbAQ4j6-vDPK9wp0Q9ga_Xs7iILRPWqKPzgQv8Q4DoPlLhf274anMMSi3YngwDPbx2w" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
<div class="interval_12"> To get more examples of samples with Sigma rules that match sandboxes&#8217; output instead of Sysmon, you can use the following queries:
</div>
<div class="my-yara-code interval_12">(<mark class="red">have</mark>:sigma) and not <mark class="red">have</mark>:evtx <mark class="red">type</mark>:mac</div>
<div class="my-yara-code interval_12">(<mark class="red">have</mark>:sigma) and not <mark class="red">have</mark>:evtx <mark class="red">type</mark>:linux</div>
<div class="interval_12"> A second <a href="https://www.virustotal.com/gui/file/41231183ec32f6cc4313f30cef8b0a29d0df205ea81242ce3f7bfebcf4a58fa3" target="_blank">interesting example</a> is a dmg matching 8 Sigma rules, 5 of them originally created for Linux OS under the &#8220;process_creation&#8221; category and 2 rules created for macOS. The last match&#8230; is a Sigma rule created for Windows samples!
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://s5.gifyu.com/images/Sjbsg.gif" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
<div class="interval_12"> The new feature matching Sigma rules with Linux and macOS samples helped us identify some rules that are maybe too generic, which is not necessarily a problem as long as this is the intended behavior.
</div>
<div class="interval_12"> In this case, the <a href="https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml" target="_blank">Usage Of Web Request Commands And Cmdlets</a> rule was originally created to detect web request using Windows&#8217; command line:
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/M5l7N9cJ_zdbuR-MthKBo19qxAcOfCFc2WsKIX4r7G6BVPRJsnhPrqaNxWtyuXmw2r57sc6lDsTtKi0FehS79GM-dN5E5ZYf9ePC_topnL7foWDDZ80kbnRax1seDc6D1iZeBmhtJMQE3wtFVAAFTUG9xydgYY6pIockMd9fLgn7ZrvbZSf1QcmXyShOdi3Eh-uS5OaACCiRnxXwdXXy8MAAuboqpfdVZJB2fQ" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
<div class="interval_12"> The rule seems a bit too generic since it only checks for a few strings in the command line, although it can be highly effective for generic detection of suspicious behavior.
</div>
<div class="interval_12"> To understand why our Macintosh Disk Image sample triggered a detection for this rule, we checked the matches:
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/Gzxk4mCCV0uJ4gyiwoQzIPqsscuWfDyu9CCoNhDuviiC-1zJNh4EyM_EJZq4y27OHUeiUMgf35MmPnMTGZwaYPmPC1VDaY2uzH1QHFb3XqXXTb20RY7Zl3RB_hw-GZqtnUfXP63Soq_RaWI8Wjnplq6z5yT8QWuWSg7B5YVVFbSxJx7GvTuT7uAp4UEzxnGkVYNtSXf_Mo5MKb2Ps-VCCpsDF5nvbL9dcKE3Gw" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
<div class="interval_12"> As we can see, the use of the string <mark class="my-yara-code"><mark class="red">&#8220;curl&#8221;</mark></mark>  in the command line was enough to match this sample.
</div>
<div class="interval_12"> This sigma rule had about 9k hits last year only, with more than 300 of the files being Linux or macOS samples. You can obtain the full list using the following query:
</div>
<div class="my-yara-code interval_12"><mark class="red">sigma_rule</mark>:f92451c8957e89bb4e61e68433faeb8d7c1461c3b90d06b3403c8f3d87c728b8 and (<mark class="red">type</mark>:linux or <mark class="red">type</mark>:mac)</div>

<h2 style="text-align: left;">Creating Livehunt rules from Sysmon EVTX outputs
</h2>

<div class="interval_12"> So far we have mainly focused on samples that do not have Sysmon (EVTX) logs. Now let's see how it is possible to create a Livehunt rule based on Sysmon logs. For this, we are going to use the &#8220;structure&#8221; functionality provided in the Livehunt YARA editor, as we explain in this <a href="https://blog.virustotal.com/2023/09/its-all-about-structure-creating-yara.html" target="_blank">post</a>. 
</div>
<div class="interval_12"> The <a href="https://www.virustotal.com/gui/file/75f32ab1a2e666ca53d9d8e3d9d6d7e64ee068aa92af66bdd1e4f6527e83e1ec" target="_blank">sample</a> we will use in this example is associated with CobaltStrike and matches multiple Sigma rules that identify certain behaviors. It is important to note that for every Sigma match, we will see in the file &#8220;structure&#8221; the context <b>that matched</b> but not the full EVTX logs. These can be downloaded from the sample&#8217;s VT report behavior section under &#8220;Download Artifacts&#8221; or using our API (available for <a href="https://docs.virustotal.com/reference/file-behaviour-evtx" target="_blank">public</a> and <a href="https://docs.virustotal.com/reference/file_behaviourssandbox_idevtx" target="_blank">privately</a> scanned files). 
</div>
<div class="interval_12"> The following image shows the matching raw EVTX generated by our sample:
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/04pqw6oXn8r_d-13nYXDumqEUwjtBKraV6WDXV7YV4zD00ZYiUJ5pgwkCrMi00IiIo1aOxmt7mbi3E6xWoJkz-FMlQOHAdA42xCrPoEWLfjFwmOkgz8D5poXj8J5eXXBSYSesDNd7YvxyA0ffV7oA3RbGoiOOSAZ7YY5_ZvXLWBVXvEyErLBcc3XSW0TU4GP7OLnwclWMRERkotJzwSC0iZO-X2SdaGz7yUgFA" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
<div class="interval_12"> From the sample&#8217;s JSON Structure, <b>Sigma_analysis_results</b> is an array that contains objects with all the relevant information related to the matching Sigma rules, including details about the rule itself and EVTX logs. From the previous image, the first highlighted section is related to process creation and the second one is a registry event (value set).
</div>
<div class="interval_12"> As explained in our <a href="https://blog.virustotal.com/2023/09/its-all-about-structure-creating-yara.html" target="_blank">post</a>, by just clicking on the fields that you are interested in you can start building your <a href="https://support.virustotal.com/hc/en-us/articles/360001315437-Livehunt" target="_blank">Livehunt</a> rule, and adjust values accordingly. In this case, our rule will identify files creating registry keys under <mark class="my-yara-code"><mark class="red">\\CurrentVersion\\RunOnce\\</mark></mark> with a <mark class="my-yara-code"><mark class="red">.bat</mark></mark> or <mark class="my-yara-code"><mark class="red">.vbs</mark></mark> extension: 
</div>
<div class="my-yara-code interval_12"><p dir="ltr"
        style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
            style="background-color: transparent; color: #007be6; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">import</span><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
        </span><span
            style="background-color: transparent; color: #ff667f; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">"vt"</span>
    </p>
    <p dir="ltr"
        style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
            style="background-color: transparent; color: #007be6; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">rule</span><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
            sigma_example_registry_keys </span><span
            style="background-color: transparent; color: gainsboro; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">{</span>
    </p>
    <p dir="ltr"
        style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">&nbsp;&nbsp;</span><span
            style="background-color: transparent; color: #007be6; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">meta</span><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">:</span>
    </p>
    <p dir="ltr"
        style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">&nbsp;&nbsp;&nbsp;&nbsp;target_entity
            = </span><span
            style="background-color: transparent; color: #ff667f; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">"file"</span>
    </p>
    <p dir="ltr"
        style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">&nbsp;&nbsp;</span><span
            style="background-color: transparent; color: #007be6; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">condition</span><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">:</span>
    </p>
    <p dir="ltr"
        style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">&nbsp;&nbsp;&nbsp;&nbsp;</span><span
            style="background-color: transparent; color: #007be6; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">for</span><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
        </span><span
            style="background-color: transparent; color: #007be6; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">any</span><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
            vt_behaviour_sigma_analysis_results </span><span
            style="background-color: transparent; color: #007be6; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">in</span><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
            vt.behaviour.sigma_analysis_results: </span><span
            style="background-color: transparent; color: gainsboro; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">(</span>
    </p>
    <p dir="ltr"
        style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span
            style="background-color: transparent; color: #007be6; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">for</span><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
        </span><span
            style="background-color: transparent; color: #007be6; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">any</span><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
            vt_behaviour_sigma_analysis_results_match_context </span><span
            style="background-color: transparent; color: #007be6; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">in</span><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
            vt_behaviour_sigma_analysis_results.match_context: </span><span
            style="background-color: transparent; color: gainsboro; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">(</span>
    </p>
    <p dir="ltr"
        style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;vt_behaviour_sigma_analysis_results_match_context.values</span><span
            style="background-color: transparent; color: gainsboro; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">[</span><span
            style="background-color: transparent; color: #ff667f; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">"TargetObject"</span><span
            style="background-color: transparent; color: gainsboro; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">]</span><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
        </span><span
            style="background-color: transparent; color: #007be6; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">icontains</span><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
        </span><span
            style="background-color: transparent; color: #ff667f; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">"\\CurrentVersion\\RunOnce\\"</span><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
        </span><span
            style="background-color: transparent; color: #007be6; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">and</span>
    </p>
    <p dir="ltr"
        style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span
            style="background-color: transparent; color: gainsboro; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">(</span><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt_behaviour_sigma_analysis_results_match_context.values</span><span
            style="background-color: transparent; color: gainsboro; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">[</span><span
            style="background-color: transparent; color: #ff667f; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">"Details"</span><span
            style="background-color: transparent; color: gainsboro; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">]</span><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
        </span><span
            style="background-color: transparent; color: #007be6; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">endswith</span><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
        </span><span
            style="background-color: transparent; color: #ff667f; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">".vbs"</span><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
        </span><span
            style="background-color: transparent; color: #007be6; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">or</span><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
            vt_behaviour_sigma_analysis_results_match_context.values</span><span
            style="background-color: transparent; color: gainsboro; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">[</span><span
            style="background-color: transparent; color: #ff667f; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">"Details"</span><span
            style="background-color: transparent; color: gainsboro; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">]</span><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
        </span><span
            style="background-color: transparent; color: #007be6; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">endswith</span><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
        </span><span
            style="background-color: transparent; color: #ff667f; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">".bat"</span><span
            style="background-color: transparent; color: gainsboro; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">)</span>
    </p>
    <p dir="ltr"
        style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span
            style="background-color: transparent; color: gainsboro; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">)</span>
    </p>
    <p dir="ltr"
        style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">&nbsp;&nbsp;&nbsp;&nbsp;</span><span
            style="background-color: transparent; color: gainsboro; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">)</span>
    </p>
    <p dir="ltr"
        style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
            style="background-color: transparent; color: gainsboro; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">}</span>
    </p></div>
<div class="interval_12"> Running this YARA using a <a href="https://support.virustotal.com/hc/en-us/articles/360001293377-Retrohunt" target="_blank">Retrohunt</a> finds multiple files:
</div>
<div class="my-yara-code interval_12">
    daef729493b9061e7048b4df10b71fdba2e11d9147512f48463994a88c834a30
    141e87e62c110b86cf7b01a2def60faab6365f6391eb0d4a7cbad8d480dd4706
    814b2cab7c5a12ec18f345eb743857e74f5be45c35642dc01330e7a0def6269a
    31b0e9b188fe944d58867bbfc827d77c7711c3a690168a417377fe6bf1544408
    dd6051509ed8cf3d059b538fa8878f87423c51b297b49a12144d3d2923c89cce
    647323f0245da631cef57d9ca1e3327c3242fe1cbbf6582c4d187e9f5fbfb678
    40a90dd3b2132a299f725e91a5d0127013b21af24074afb944d8bc5735c1bd53
    b44c6d2dd8ad93cecd795cecde83081292ee9949d65b2e98d4a2a3c8a97bd936
    710b0cca7e7c17a3dd2a309f5ca417b76429feac1ab5fb60f5502995ebbd1515
    50c098119ce41771e7a3b8230a7aa61ebea925e8eda46c33f0dd42b8950b92fe
    </div>
<div class="interval_12"> Here you can see some interesting matches:
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/sZLZhAfbKUNhk9RujX-DtJkb9Kg9yFT85fYEcpeyX1fdnglquAV0b8uZv8p4SodmKDpZjUEBp16rEV8ALiwRFYsewYdOBqKuA3b_5dcn9e1fMvHnYZLknfiOPrQ6G81-4408Huvi6-STzDJyC47X5IUuioFoMxljA8CN5dDaz0na3rnpyIM6Stz0aBHIgkJfuVEFe2rZGUCptk5k3KxWyD6DaNAmq6ZV62Efzw" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
<div class="interval_12"> The next rule focuses on file creation events related to Sysmon (EVID 11) under the &#8220;C:\Windows\System32&#8221; directory, with a &#8220;.dll&#8221; extension and having any &#8220;cve&#8221; tag (flagging potential CVE exploitation). Remember we can always include any additional details related to the samples we want to hunt, such as positives, metadata, tags, engines, &#8230;  in addition to EVTX fields:
</div>
<div class="my-yara-code interval_12"><p dir="ltr"
        style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
            style="background-color: transparent; color: #007be6; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">import</span><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
        </span><span
            style="background-color: transparent; color: #ff667f; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">"vt"</span>
    </p>
    <p dir="ltr"
        style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
            style="background-color: transparent; color: #007be6; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">rule</span><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
            sigma_rule_evtx_cve </span><span
            style="background-color: transparent; color: gainsboro; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">{</span>
    </p>
    <p dir="ltr"
        style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">&nbsp;&nbsp;</span><span
            style="background-color: transparent; color: #007be6; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">meta</span><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">:</span>
    </p>
    <p dir="ltr"
        style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">&nbsp;&nbsp;&nbsp;&nbsp;target_entity
            = </span><span
            style="background-color: transparent; color: #ff667f; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">"file"</span>
    </p>
    <p dir="ltr"
        style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">&nbsp;&nbsp;</span><span
            style="background-color: transparent; color: #007be6; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">condition</span><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">:</span>
    </p>
    <p dir="ltr"
        style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">&nbsp;&nbsp;&nbsp;&nbsp;</span><span
            style="background-color: transparent; color: #007be6; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">for</span><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
        </span><span
            style="background-color: transparent; color: #007be6; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">any</span><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
            vt_behaviour_sigma_analysis_results </span><span
            style="background-color: transparent; color: #007be6; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">in</span><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
            vt.behaviour.sigma_analysis_results: </span><span
            style="background-color: transparent; color: gainsboro; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">(</span>
    </p>
    <p dir="ltr"
        style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span
            style="background-color: transparent; color: #007be6; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">for</span><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
        </span><span
            style="background-color: transparent; color: #007be6; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">any</span><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
            vt_behaviour_sigma_analysis_results_match_context </span><span
            style="background-color: transparent; color: #007be6; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">in</span><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
            vt_behaviour_sigma_analysis_results.match_context: </span><span
            style="background-color: transparent; color: gainsboro; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">(</span>
    </p>
    <p dir="ltr"
        style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;vt_behaviour_sigma_analysis_results_match_context.values</span><span
            style="background-color: transparent; color: gainsboro; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">[</span><span
            style="background-color: transparent; color: #ff667f; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">"TargetFilename"</span><span
            style="background-color: transparent; color: gainsboro; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">]</span><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
        </span><span
            style="background-color: transparent; color: #007be6; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">startswith</span><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
        </span><span
            style="background-color: transparent; color: #ff667f; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">"C:\\Windows\\System32\\"</span><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
        </span><span
            style="background-color: transparent; color: #007be6; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">and</span>
    </p>
    <p dir="ltr"
        style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;vt_behaviour_sigma_analysis_results_match_context.values</span><span
            style="background-color: transparent; color: gainsboro; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">[</span><span
            style="background-color: transparent; color: #ff667f; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">"TargetFilename"</span><span
            style="background-color: transparent; color: gainsboro; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">]</span><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
        </span><span
            style="background-color: transparent; color: #007be6; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">endswith</span><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
        </span><span
            style="background-color: transparent; color: #ff667f; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">".dll"</span><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
        </span><span
            style="background-color: transparent; color: #007be6; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">and</span>
    </p>
    <p dir="ltr"
        style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span
            style="background-color: transparent; color: #007be6; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">for</span><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
        </span><span
            style="background-color: transparent; color: #007be6; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">any</span><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
            vt_metadata_tags </span><span
            style="background-color: transparent; color: #007be6; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">in</span><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
            vt.metadata.tags: </span><span
            style="background-color: transparent; color: gainsboro; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">(</span>
    </p>
    <p dir="ltr"
        style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;vt_metadata_tags
        </span><span
            style="background-color: transparent; color: #007be6; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">icontains</span><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
        </span><span
            style="background-color: transparent; color: #ff667f; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">"cve-"</span>
    </p>
    <p dir="ltr"
        style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span
            style="background-color: transparent; color: gainsboro; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">)</span>
    </p>
    <p dir="ltr"
        style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span
            style="background-color: transparent; color: gainsboro; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">)</span>
    </p>
    <p dir="ltr"
        style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
            style="background-color: transparent; color: white; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">&nbsp;&nbsp;&nbsp;&nbsp;</span><span
            style="background-color: transparent; color: gainsboro; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">)</span>
    </p>
    <p dir="ltr"
        style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
            style="background-color: transparent; color: gainsboro; font-family: &quot;Courier New&quot;, monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">}</span>
    </p></div>
<h2 style="text-align: left;">Sysmon EVTX fields - overlaps
</h2>
<div class="interval_12"> Some of the details found in Sysmon EVTX fields (found in the VT JSON samples&#8217; structure) can be redundant with details provided in other more traditional fields that you use for your Livehunt rules through the YARA VT module.
</div>
<div class="interval_12"> For example, instead of:
    <mark class="my-yara-code">vt_behaviour_sigma_analysis_results_match_context.values["TargetFilename"]</mark> from <mark class="my-yara-code">vt.behaviour.sigma_analysis_results</mark>
</div>
<div class="interval_12"> you could use: <mark class="my-yara-code">vt.behaviour.files_written</mark> to identify file creation events.
     </div>
<div class="interval_12"> When that&#8217;s the case, we recommend using traditional <a href="https://docs.virustotal.com/docs/writing-yara-rules-for-livehunt" target="_blank">fields</a> found in VT samples&#8217; structure for the following reasons:
</div>
<div class="interval_12"> <ul>
    <li>Sysmon information is fully stored/indexed only the part matching the Sigma rule, which will limit any YARA hunting.
    </li>
    <li>We mapped most Sysmon fields into YARA VT module for simplicity. 
    </li>
    <li>Linux and MacOS samples do not have any Sysmon information related to Sigma rules. Similar details about the match can be found under the &#8220;behaviour&#8221; JSON structure entry.
    </li>
</ul> </div>
<div class="interval_12"> The new Sysmon-like details offered in the file &#8220;structure&#8221; also make VT an excellent platform for researchers and Sigma rule creators, allowing them to leverage this information without the need to create their own lab.
</div>
<div class="interval_12"> The following table helps mapping VT Intelligence queries, YARA VT module fields, Sigma Categories, and Sigma fields:
</div>
<div class="interval_12"> 
<table style="border-collapse: collapse; border: none;">
            <colgroup>
                <col width="152">
                </col>
                <col width="185">
                </col>
                <col width="144">
                </col>
                <col width="144">
                </col>
            </colgroup>
            <tbody>
                <tr style="height: 15.75pt;" class="table-fields">
                    <td
                        style="background-color: #9900ff; border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="background-color: transparent; color: white; font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-weight: 700; vertical-align: baseline; white-space-collapse: preserve;">VT
                                Intelligence</span></p>
                    </td>
                    <td
                        style="background-color: #9900ff; border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="background-color: transparent; color: white; font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-weight: 700; vertical-align: baseline; white-space-collapse: preserve;">YARA
                                VT module field</span></p>
                    </td>
                    <td
                        style="background-color: #9900ff; border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="background-color: transparent; color: white; font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-weight: 700; vertical-align: baseline; white-space-collapse: preserve;">Sigma
                                Category</span></p>
                    </td>
                    <td
                        style="background-color: #9900ff; border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="background-color: transparent; color: white; font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-weight: 700; vertical-align: baseline; white-space-collapse: preserve;">Sigma
                                Field</span></p>
                    </td>
                </tr>
                <tr style="height: 60pt;">
                    <td
                        style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">behavior_created_processes</span>
                        </p>
                    </td>
                    <td
                        style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.processes_created</span>
                        </p>
                    </td>
                    <td
                        style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">process_creation</span>
                        </p>
                    </td>
                    <td
                        style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">Image</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">CommandLine</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">ParentCommandLine</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">ParentImage</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">OriginalFileName</span>
                        </p>
                    </td>
                </tr>
                <tr style="height: 127.5pt;">
                    <td
                        style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">behavior_files</span>
                        </p>
                    </td>
                    <td
                        style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.files_attribute_changed
                                </span></p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.files_deleted</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.files_opened</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.files_copied
                                </span></p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.files_copied[x].destination</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.files_copied[x].source</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.files_written</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.files_dropped</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.files_dropped[x].path</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.files_dropped[x].sha256</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.files_dropped[x].type</span>
                        </p>
                    </td>
                    <td
                        style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">file_access</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">file_change</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">file_delete</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">file_rename</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">file_event</span>
                        </p>
                    </td>
                    <td
                        style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">TargetFilename</span>
                        </p>
                    </td>
                </tr>
                <tr style="height: 93.75pt;">
                    <td
                        style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">behavior_injected_processes</span>
                        </p>
                    </td>
                    <td
                        style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.processes_injected</span>
                        </p>
                    </td>
                    <td
                        style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">process_access</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">create_remote_thread</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">process_creation</span>
                        </p>
                    </td>
                    <td
                        style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">CallTrace</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">GrantedAccess</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">SourceImage</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">TargetImage</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">StartModule</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">StartFunction</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">TargetImage</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">SourceImage</span>
                        </p>
                    </td>
                </tr>
                <tr style="height: 150pt;">
                    <td
                        style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">behavior_processes</span>
                        </p>
                    </td>
                    <td
                        style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.processes_terminated
                                </span></p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.processes_killed
                                </span></p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.processes_created</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.command_executions</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.processes_injected
                                </span></p>
                    </td>
                    <td
                        style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">process_access</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">create_remote_thread</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">process_creation</span>
                        </p>
                    </td>
                    <td
                        style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">CallTrace</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">GrantedAccess</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">SourceImage</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">TargetImage</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">StartModule</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">StartFunction</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">TargetImage</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">SourceImage</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">Image</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">CommandLine</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">ParentCommandLine</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">ParentImage</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">OriginalFileName</span>
                        </p>
                    </td>
                </tr>
                <tr style="height: 60pt;">
                    <td
                        style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">behavior_registry</span>
                        </p>
                    </td>
                    <td
                        style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.registry_keys_deleted</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.registry_keys_opened
                                </span></p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.registry_keys_set</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.registry_keys_set[x].key</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.registry_keys_set[x].value</span>
                        </p>
                    </td>
                    <td
                        style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">registry_add</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">registry_delete</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">registry_event</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">registry_rename</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">registry_set</span>
                        </p>
                    </td>
                    <td
                        style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">EventType</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">TargetObject</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">Details</span>
                        </p>
                    </td>
                </tr>
                <tr style="height: 82.5pt;">
                    <td
                        style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">behavior_services</span>
                        </p>
                    </td>
                    <td
                        style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.services_bound</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.services_created</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.services_opened</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.services_started</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.services_stopped</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.services_deleted</span>
                        </p>
                    </td>
                    <td
                        style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">registry_set</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">process_creation</span>
                        </p>
                    </td>
                    <td
                        style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">Image</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">CommandLine</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">ParentCommandLine</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">ParentImage</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">EventType</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">TargetObject</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">Details</span>
                        </p>
                    </td>
                </tr>
                <tr style="height: 352.5pt;">
                    <td
                        style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">behavior_network</span>
                        </p>
                    </td>
                    <td
                        style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.dns_lookups</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.dns_lookups[x].hostname</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.dns_lookups[x].resolved_ips
                                </span></p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.hosts_file</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.ip_traffic</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.ip_traffic[x].destination_ip</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.ip_traffic[x].destination_port</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.ip_traffic[x].transport_layer_protocol</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.http_conversations</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.http_conversations[x].url</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.http_conversations[x].request_method</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.http_conversations[x].request_headers</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.http_conversations[x].response_headers</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.http_conversations[x].response_status_code</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.http_conversations[x].response_body_filetype</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.smtp_conversations[x].hostname</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.smtp_conversations[x].destination_ip</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.smtp_conversations[x].destination_port</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.smtp_conversations[x].smtp_from</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.smtp_conversations[x].smtp_to</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.smtp_conversations[x].message_from</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.smtp_conversations[x].message_to</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.smtp_conversations[x].message_cc</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.smtp_conversations[x].message_bcc</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.smtp_conversations[x].timestamp</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.smtp_conversations[x].subject</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.smtp_conversations[x].html_body</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.smtp_conversations[x].txt_body</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.smtp_conversations[x].x_mailer</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.tls</span>
                        </p>
                    </td>
                    <td
                        style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">network_connection</span>
                        </p>
                    </td>
                    <td
                        style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">DestinationHostname</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">DestinationIp</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">DestinationIsIpv6</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">DestinationPort</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">DestinationPortName</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">SourceIp</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">SourceIsIpv6</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">SourcePort</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">SourcePortName</span>
                        </p>
                    </td>
                </tr>
                <tr style="height: 37.5pt;">
                    <td
                        style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">behavior (too generic)</span>
                        </p>
                    </td>
                    <td
                        style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.modules_loaded</span>
                        </p>
                    </td>
                    <td
                        style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">image_load</span>
                        </p>
                    </td>
                    <td
                        style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">ImageLoaded</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">Image</span>
                        </p>
                        <p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
                                style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">OriginalFileName</span>
                        </p>
                    </td>
                </tr>
            </tbody>
        </table>    
</div>
<h2 style="text-align: left;">Wrapping up
</h2>
<div class="interval_12"> At VirusTotal, we believe that the Sigma language is a valuable tool for the community to share information about samples&#8217; behavior. Our objective is to make its use on VT as simple as possible. Our addition of MacOS and Linux is just the start of what we are working on, as we aim to add Sysmon for Linux to obtain more robust results, including the ability to download full generated logs.
</div>
<div class="interval_12"> Remember that <a href="https://support.virustotal.com/hc/en-us/articles/360017450757-Sigma-Rules-List" target="_blank">here</a> you have a list of all the Crowdsourced Sigma rules that are currently deployed in VirusTotal and that you can use for threat hunting.
</div>
<div class="interval_12"> We hope you join our fan club of Sigma and VirusTotal, and as always <a href="https://www.virustotal.com/gui/contact-us" target="_blank">we are happy to hear your feedback.</a>
</div>
<div class="interval_12"> Happy Hunting!
</div>

<style>  
.my-code{
font-family: "Courier", sans-serif;
font-size: medium; 
width: 100%;
background: Black;
color: White;
/*padding: 24px;*/
border-collapse: collapse;
}

.my-yara-code{
font-family: "Courier", sans-serif;
font-size: medium; 
width: 100%;
background: #F7F9F9;
color: Black;
/*padding: 24px;*/
border-collapse: collapse;
}
  
mark.green {
    color:#3cb371;
    background: none;
}
mark.gray {
    color:Gray;
    background: none;
}
mark.yellow {
    color:Yellow;
    background: none;
}
mark.orange {
    color:Orange;
    background: none;
}
mark.red {
    color:Red;
    background: none;
}
mark.blue {
    color:#33BEFF;
    background: none;
}

mark.dark-blue {
    color:Blue;
    background: none;
}
.table-container {
/*padding: 32px;*/
font-family: "Courier", sans-serif;
font-size: medium;
}

.table-container table {
width: 100%;
background: #fff;
color: #222;
/*padding: 24px;*/
border-collapse: collapse;
}

.table-container table th {
font-weight: bold!important;
text-transform: none!important;
}

.table-fields {
  background: #86aaf9;
}

th:first-child { width: 24%; }
th:first-child+th { width: 39%; }

/*
.table-container table td,
.table-container table th {
padding: 16px 32px;
}
*/

.table-container table tr {
border-bottom: 1px solid #eee;
}

@media (max-width: 580px) {
.table-container table thead {
  display: none;
}

.table-container table td {
  display: block;
}

}
  
a {
  color: blue!important;
}
  
  
.central_img {
  position: relative;
  display: block;
  margin-left: auto;
  margin-right: auto;
}
  
.central_img img  {
  border: 1px solid #000000;
}

.central_img p  {
  text-align: center;
  font-style: italic;
}

.width_10 {
  width: 10%;
}
  
.width_15 {
  width: 15%;
}
  
.width_20 {
  width: 20%;
}
  
.width_30 {
  width: 30%;
}
    
.width_40 {
  width: 40%;
}
  
.width_50 {
  width: 50%;
}
  
.width_60 {
  width: 60%;
}
  
.width_80 {
  width: 80%;
}
  
.width_90 {
  width: 90%;
}
  
.width_100 {
  width: 100%;
}
  
ul{
  margin-bottom: 5px!important;
}
  
.interval_12{
  margin-bottom: 12px!important;
}

</style>
<div style='clear:both;'></div>
<div class='post-share-buttons'>
<a class='goog-inline-block share-button sb-email' href='https://www.blogger.com/share-post.g?blogID=6871606241422173914&postID=3256453252814332978&target=email' target='_blank' title='Email This'><span class='share-button-link-text'>Email This</span></a><a class='goog-inline-block share-button sb-blog' href='https://www.blogger.com/share-post.g?blogID=6871606241422173914&postID=3256453252814332978&target=blog' onclick='window.open(this.href, "_blank", "height=270,width=475"); return false;' target='_blank' title='BlogThis!'><span class='share-button-link-text'>BlogThis!</span></a><a class='goog-inline-block share-button sb-twitter' href='https://www.blogger.com/share-post.g?blogID=6871606241422173914&postID=3256453252814332978&target=twitter' target='_blank' title='Share to Twitter'><span class='share-button-link-text'>Share to Twitter</span></a><a class='goog-inline-block share-button sb-facebook' href='https://www.blogger.com/share-post.g?blogID=6871606241422173914&postID=3256453252814332978&target=facebook' onclick='window.open(this.href, "_blank", "height=430,width=640"); return false;' target='_blank' title='Share to Facebook'><span class='share-button-link-text'>Share to Facebook</span></a>
</div>
<span class='reaction-buttons'>
</span>
</div>
<script>removeFormatting(document.querySelector('.post-body.entry-content'))</script>
<script>
var postContent = document.querySelector("#entry" + "3256453252814332978" + " .post-body.entry-content.clearnbt");
Array.from(postContent.querySelectorAll('img')).forEach(img => {
  if (!img.parentElement.href) {
    var anchor = document.createElement('a');
    anchor.href = img.src;
    anchor.setAttribute('imageanchor', 1);
    var parent = img.parentElement;
    parent.replaceChild(anchor, img);
    anchor.appendChild(img);
  }
});
</script>
</div>
</div>
</article>
<div style='clear: both;'></div>
<div class='blog-pager' id='blog-pager'>
<span class='visible' id='blog-pager-newer-link'>
<a class='blog-pager-newer-link' href='https://blog.virustotal.com/2023/12/hunting-for-malicious-domains-with-vt.html' id='Blog1_blog-pager-newer-link' title='Newer Post'>Newer Posts</a>
</span>
<a class='home-link' href='https://blog.virustotal.com/'>Home</a>
<span class='visible' id='blog-pager-older-link'>
<a class='blog-pager-older-link' href='https://blog.virustotal.com/2023/12/protecting-perimeter-with-vt_18.html' id='Blog1_blog-pager-older-link' title='Older Post'>Older Posts</a>
</span>
</div>
<div class='clear'></div>
<div class='comments' id='comments'>
<a name='comments'></a>
<div id='backlinks-container'>
<div id='Blog1_backlinks-container'>
</div>
</div>
</div>
</div>

        </div></div>
      
<!--Can't find substitution for tag [adEnd]-->
</div>
<div style='clear: both;'></div>
<div class='post-feeds'>
</div>
</div></div>
</div><!-- #content -->
</div><!-- #primary -->
</div><!-- #main -->
<footer class='site-footerbwrap' id='colophonbwrap' role='contentinfo'>
<div class='site-infobwrap wrapbwrap'>
<!-- Do not edit or remove credits without our permission: newbloggerthemes.com -->
Copyright &#169; <script type='text/javascript'>var creditsyear = new Date();document.write(creditsyear.getFullYear());</script>
<a href='https://blog.virustotal.com/'>VirusTotal Blog</a> | Powered by <a href="//www.blogger.com/">Blogger</a><br/>Design by <a href='http://automattic.com/' target='_blank'>Automattic</a> | Blogger Theme by <a href='http://newbloggerthemes.com/' target='_blank' title='NewBloggerThemes.com'>NewBloggerThemes.com</a>
</div><!-- .site-info -->
</footer><!-- #colophon -->
</div><!-- #page -->
<script type='text/javascript'>
//<![CDATA[

( function() {
var is_webkit = navigator.userAgent.toLowerCase().indexOf( 'webkit' ) > -1,
   is_opera  = navigator.userAgent.toLowerCase().indexOf( 'opera' )  > -1,
   is_ie     = navigator.userAgent.toLowerCase().indexOf( 'msie' )   > -1;

if ( ( is_webkit || is_opera || is_ie ) && 'undefined' !== typeof( document.getElementById ) ) {
var eventMethod = ( window.addEventListener ) ? 'addEventListener' : 'attachEvent';
window[ eventMethod ]( 'hashchange', function() {
var element = document.getElementById( location.hash.substring( 1 ) );

if ( element ) {
if ( ! /^(?:a|select|input|button|textarea)$/i.test( element.tagName ) )
element.tabIndex = -1;

element.focus();
}
}, false );
}
})();

//]]>
</script>
<script type='text/javascript'>
//<![CDATA[

( function( $ ) {
$( document ).ready( function() {
var $widgetsWrapper = $( 'div#widgets-wrapperbwrap' ),
$widgetsTrigger = $( '.widgets-triggerbwrap a' ),
$socialLinksWrapper = $( 'div#social-links-wrapper' ),
$socialLinksTrigger = $( '.social-links-triggerbwrap a' ),
$searchWrapper = $( 'div#search-wrapperbwrap' ),
$searchTrigger = $( '.search-triggerbwrap a' );

function scrollTop() {
$( 'body,html' ).animate( {
scrollTop: 0
}, 400 );
};

/*
* Click events for toggling the top-panels.
* Each of them checks if other panels are already opened,
* and if any of them is opened, it will be hidden.
* Also it makes sure the page goes back to top
* in case the widget panel is really long.
*/
$widgetsTrigger.click( function( e ) {
e.preventDefault();
scrollTop();
$widgetsWrapper.toggleClass( 'hide' );

if ( ! $socialLinksWrapper.hasClass( 'hide' ) ) {
$socialLinksWrapper.addClass( 'hide' );
}

if ( ! $searchWrapper.hasClass( 'hide' ) ) {
$searchWrapper.addClass( 'hide' );
}
} );

$socialLinksTrigger.click( function( e ) {
e.preventDefault();
scrollTop();
$socialLinksWrapper.toggleClass( 'hide' );

if ( ! $widgetsWrapper.hasClass( 'hide' ) ) {
$widgetsWrapper.addClass( 'hide' );
}

if ( ! $searchWrapper.hasClass( 'hide' ) ) {
$searchWrapper.addClass( 'hide' );
}
} );

$searchTrigger.click( function( e ) {
e.preventDefault();
scrollTop();
$searchWrapper.toggleClass( 'hide' );

if ( ! $widgetsWrapper.hasClass( 'hide' ) ) {
$widgetsWrapper.addClass( 'hide' );
}

if ( ! $socialLinksWrapper.hasClass( 'hide' ) ) {
$socialLinksWrapper.addClass( 'hide' );
}
} );

} );

/*
* A function to adjust the height of the horizontal band for video format post.
* Check the height of .entry-info and add 34px for top and bottom padding.
*/
function videoBand() {
$( 'article.format-video .entry-info' ).each( function() {
var $entryInfo = $( this ),
$entryInfoHeight = $( this ).height() + 34;
$( this ).parents( 'article.format-video' ).find( 'div.band' ).css( 'height', $entryInfoHeight );
} );
}

// Call videoBand() after a page load completely.
$( window ).load( videoBand );

// Call videoBand() after IS loads posts.
$( document ).on( 'post-load', videoBand );
} )( jQuery );

//]]>
</script>
<!--It is your responsibility to notify your visitors about cookies used and data collected on your blog. Blogger makes a standard notification available for you to use on your blog, and you can customise it or replace it with your own notice. See http://www.blogger.com/go/cookiechoices for more details.-->
<script defer='' src='/js/cookienotice.js'></script>
<script>
    document.addEventListener('DOMContentLoaded', function(event) {
      window.cookieChoices && cookieChoices.showCookieConsentBar && cookieChoices.showCookieConsentBar(
          (window.cookieOptions && cookieOptions.msg) || 'This site uses cookies from Google to deliver its services and to analyse traffic. Your IP address and user agent are shared with Google, together with performance and security metrics, to ensure quality of service, generate usage statistics and to detect and address abuse.',
          (window.cookieOptions && cookieOptions.close) || 'Got it',
          (window.cookieOptions && cookieOptions.learn) || 'Learn more',
          (window.cookieOptions && cookieOptions.link) || 'https://www.blogger.com/go/blogspot-cookies');
    });
  </script>

<script type="text/javascript" src="https://www.blogger.com/static/v1/widgets/1221747029-widgets.js"></script>
<script type='text/javascript'>
window['__wavt'] = 'AOuZoY6IR_3caDkSR2HK-XWH-C7Iz_yNeQ:1708875450971';_WidgetManager._Init('//www.blogger.com/rearrange?blogID\x3d6871606241422173914','//blog.virustotal.com/2023/12/sigma-rules-for-linux-and-macos_20.html','6871606241422173914');
_WidgetManager._SetDataContext([{'name': 'blog', 'data': {'blogId': '6871606241422173914', 'title': 'VirusTotal Blog', 'url': 'https://blog.virustotal.com/2023/12/sigma-rules-for-linux-and-macos_20.html', 'canonicalUrl': 'https://blog.virustotal.com/2023/12/sigma-rules-for-linux-and-macos_20.html', 'homepageUrl': 'https://blog.virustotal.com/', 'searchUrl': 'https://blog.virustotal.com/search', 'canonicalHomepageUrl': 'https://blog.virustotal.com/', 'blogspotFaviconUrl': 'https://blog.virustotal.com/favicon.ico', 'bloggerUrl': 'https://www.blogger.com', 'hasCustomDomain': true, 'httpsEnabled': true, 'enabledCommentProfileImages': true, 'gPlusViewType': 'FILTERED_POSTMOD', 'adultContent': false, 'analyticsAccountNumber': '', 'encoding': 'UTF-8', 'locale': 'en', 'localeUnderscoreDelimited': 'en', 'languageDirection': 'ltr', 'isPrivate': false, 'isMobile': false, 'isMobileRequest': false, 'mobileClass': '', 'isPrivateBlog': false, 'isDynamicViewsAvailable': true, 'feedLinks': '\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22VirusTotal Blog - Atom\x22 href\x3d\x22https://blog.virustotal.com/feeds/posts/default\x22 /\x3e\n\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/rss+xml\x22 title\x3d\x22VirusTotal Blog - RSS\x22 href\x3d\x22https://blog.virustotal.com/feeds/posts/default?alt\x3drss\x22 /\x3e\n\x3clink rel\x3d\x22service.post\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22VirusTotal Blog - Atom\x22 href\x3d\x22https://www.blogger.com/feeds/6871606241422173914/posts/default\x22 /\x3e\n\n\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22VirusTotal Blog - Atom\x22 href\x3d\x22https://blog.virustotal.com/feeds/3256453252814332978/comments/default\x22 /\x3e\n', 'meTag': '', 'adsenseHostId': 'ca-host-pub-1556223355139109', 'adsenseHasAds': false, 'adsenseAutoAds': false, 'boqCommentIframeForm': true, 'loginRedirectParam': '', 'view': '', 'dynamicViewsCommentsSrc': '//www.blogblog.com/dynamicviews/4224c15c4e7c9321/js/comments.js', 'dynamicViewsScriptSrc': '//www.blogblog.com/dynamicviews/155607c0b9f413c1', 'plusOneApiSrc': 'https://apis.google.com/js/platform.js', 'disableGComments': true, 'interstitialAccepted': false, 'sharing': {'platforms': [{'name': 'Get link', 'key': 'link', 'shareMessage': 'Get link', 'target': ''}, {'name': 'Facebook', 'key': 'facebook', 'shareMessage': 'Share to Facebook', 'target': 'facebook'}, {'name': 'BlogThis!', 'key': 'blogThis', 'shareMessage': 'BlogThis!', 'target': 'blog'}, {'name': 'Twitter', 'key': 'twitter', 'shareMessage': 'Share to Twitter', 'target': 'twitter'}, {'name': 'Pinterest', 'key': 'pinterest', 'shareMessage': 'Share to Pinterest', 'target': 'pinterest'}, {'name': 'Email', 'key': 'email', 'shareMessage': 'Email', 'target': 'email'}], 'disableGooglePlus': true, 'googlePlusShareButtonWidth': 0, 'googlePlusBootstrap': '\x3cscript type\x3d\x22text/javascript\x22\x3ewindow.___gcfg \x3d {\x27lang\x27: \x27en\x27};\x3c/script\x3e'}, 'hasCustomJumpLinkMessage': false, 'jumpLinkMessage': 'Read more', 'pageType': 'item', 'postId': '3256453252814332978', 'postImageThumbnailUrl': 'https://lh7-us.googleusercontent.com/bTWJ1UA1ZZD4Rp1zveMMQnBj56Ml4m7CNrtWH5WhtyHoHeZ_jQDszTLVAzzMceuWMx6Ca8KuBfZohKHmbBvL4GXs54q5Ioh3BB8S_fpZBraBPB3hTZnQkjwbC6VDTaAjuKQTsaxIlY47PwEq0ShTu6a8UL3Z-JRQbkf4-cXBMvv1LGHiWc57ouscO9y4SK0PZdj0CqzFqZnbvLlZDlNUoKWYoV7KioE16SOr7w\x3ds72-c', 'postImageUrl': 'https://lh7-us.googleusercontent.com/bTWJ1UA1ZZD4Rp1zveMMQnBj56Ml4m7CNrtWH5WhtyHoHeZ_jQDszTLVAzzMceuWMx6Ca8KuBfZohKHmbBvL4GXs54q5Ioh3BB8S_fpZBraBPB3hTZnQkjwbC6VDTaAjuKQTsaxIlY47PwEq0ShTu6a8UL3Z-JRQbkf4-cXBMvv1LGHiWc57ouscO9y4SK0PZdj0CqzFqZnbvLlZDlNUoKWYoV7KioE16SOr7w', 'pageName': 'Sigma rules for Linux and MacOS', 'pageTitle': 'VirusTotal Blog: Sigma rules for Linux and MacOS'}}, {'name': 'features', 'data': {}}, {'name': 'messages', 'data': {'edit': 'Edit', 'linkCopiedToClipboard': 'Link copied to clipboard!', 'ok': 'Ok', 'postLink': 'Post Link'}}, {'name': 'template', 'data': {'name': 'custom', 'localizedName': 'Custom', 'isResponsive': false, 'isAlternateRendering': false, 'isCustom': true}}, {'name': 'view', 'data': {'classic': {'name': 'classic', 'url': '?view\x3dclassic'}, 'flipcard': {'name': 'flipcard', 'url': '?view\x3dflipcard'}, 'magazine': {'name': 'magazine', 'url': '?view\x3dmagazine'}, 'mosaic': {'name': 'mosaic', 'url': '?view\x3dmosaic'}, 'sidebar': {'name': 'sidebar', 'url': '?view\x3dsidebar'}, 'snapshot': {'name': 'snapshot', 'url': '?view\x3dsnapshot'}, 'timeslide': {'name': 'timeslide', 'url': '?view\x3dtimeslide'}, 'isMobile': false, 'title': 'Sigma rules for Linux and MacOS', 'description': ' TLDR : VT Crowdsourced Sigma rules will now also match suspicious activity for macOS and Linux binaries, in addition to Windows.   We recen...', 'featuredImage': 'https://lh7-us.googleusercontent.com/bTWJ1UA1ZZD4Rp1zveMMQnBj56Ml4m7CNrtWH5WhtyHoHeZ_jQDszTLVAzzMceuWMx6Ca8KuBfZohKHmbBvL4GXs54q5Ioh3BB8S_fpZBraBPB3hTZnQkjwbC6VDTaAjuKQTsaxIlY47PwEq0ShTu6a8UL3Z-JRQbkf4-cXBMvv1LGHiWc57ouscO9y4SK0PZdj0CqzFqZnbvLlZDlNUoKWYoV7KioE16SOr7w', 'url': 'https://blog.virustotal.com/2023/12/sigma-rules-for-linux-and-macos_20.html', 'type': 'item', 'isSingleItem': true, 'isMultipleItems': false, 'isError': false, 'isPage': false, 'isPost': true, 'isHomepage': false, 'isArchive': false, 'isLabelSearch': false, 'postId': 3256453252814332978}}]);
_WidgetManager._RegisterWidget('_PopularPostsView', new _WidgetInfo('PopularPosts1', 'topsidebarsec1', document.getElementById('PopularPosts1'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_BlogArchiveView', new _WidgetInfo('BlogArchive1', 'topsidebarsec4', document.getElementById('BlogArchive1'), {'languageDirection': 'ltr', 'loadingMessage': 'Loading\x26hellip;'}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_HeaderView', new _WidgetInfo('Header1', 'headersec', document.getElementById('Header1'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_BlogView', new _WidgetInfo('Blog1', 'mainblogsec', document.getElementById('Blog1'), {'cmtInteractionsEnabled': false, 'lightboxEnabled': true, 'lightboxModuleUrl': 'https://www.blogger.com/static/v1/jsbin/315427012-lbx.js', 'lightboxCssUrl': 'https://www.blogger.com/static/v1/v-css/3268905543-lightbox_bundle.css'}, 'displayModeFull'));
</script>
</body>
</html>